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Abstract 



Secure multi-party computation is a task whereby mistrustful parties 
attempt to compute some joint function of their private data in such 
a way as to reveal as little as possible about it. It encompasses many 
cryptographic primitives, including coin tossing and oblivious trans- 
fer. Ideally, one would like to generate either a protocol or a no-go 
theorem for any such task. 

Very few computations of this kind are known to be possible with 
unconditional security. However, relatively little investigation into 
exploiting the cryptographic power of a relativistic theory has been 
carried out. In this thesis, we extend the range of known results 
regarding secure multi-party computations. We focus on two-party 
computations, and consider protocols whose security is guaranteed by 
the laws of physics. Specifically, the properties of quantum systems, 
and the impossibility of faster-than-light signalling will be used to 
guarantee security. 

After a general introduction, the thesis is divided into four parts. In 
the first, we discuss the task of coin tossing, principally in order to 
highlight the effect different physical theories have on security in a 
straightforward manner, but, also, to introduce a new protocol for 
non-relativistic strong coin tossing. This protocol matches the secu- 
rity of the best protocol known to date while using a conceptually 
different approach to achieve the task. It provides a further example 
of the use of entanglement as a resource. 

In the second part, a new task, variable bias coin tossing, is intro- 
duced. This is a variant of coin tossing in which one party secretly 
chooses one of two biased coins to toss. It is shown that this can be 
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achieved with unconditional security for a specified range of biases, 
and with cheat-evident security for any bias. We also discuss two fur- 
ther protocols which are conjectured to be unconditionally secure for 
any bias. 

The third section looks at other two-party secure computations for 
which, prior to our work, protocols and no-go theorems were unknown. 
We introduce a general model for such computations, and show that, 
within this model, a wide range of functions are impossible to compute 
securely. We give explicit cheating attacks for such functions. 

In the final chapter we investigate whether cryptography is possible 
under weakened assumptions. In particular, we discuss the task of 
expanding a private random string, while dropping the assumption 
that the protocol's user trusts her devices. Instead we assume that all 
quantum devices are supplied by an arbitrarily malicious adversary. 
We give two protocols that we conjecture securely perform this task. 
The first allows a private random string to be expanded by a finite 
amount, while the second generates an arbitrarily large expansion of 
such a string. 
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Chapter 1 
Introduction 



"If you wish another to keep your secret, first keep it to yourself. " - 
Lucius Annaeus Senec 

1.1 Preface 

Secrecy has been an important aspect of life since the birth of civilization, if not 
before - even squirrels hide their nuts. While the poor squirrel has to rely on 
unproven assumptions about the intelligence and digging power of its adversaries, 
we, today, seek a more powerful predicate. We demand unconditional security, 
that is security guaranteed by the laws of physics. 

One common example is that of a base communicating with a field agent. In 
the standard incarnation of this problem, Alice, at base, uses a key to encrypt 
her data, before sending the encryption in the clear to agent Bob. An eavesdrop- 
per, Eve, hearing only the encrypted message can discover little about the data. 
Shannon's pioneering work on information theory implies that to achieve perfect 
secrecy, so that, even if she possesses the entire encrypted message, Eve can do 
no better than simply guess Alice's message, requires a key that is at least as 
long as the message. 

This is an inconvenient result. Distributing, carrying and securely storing long 
keys is expensive. In the 1970s, a band of classical cryptographers came up with 
a set of practical ciphers to which they entrusted their private communications, 
and indeed many of us do today. These evade Shannon's requirement on the 



1 



1.1 Preface 



key by assuming something about the power of an eavesdropper. The Rivest, 
Shamir and Adleman cipher (RSA), for instance, assumes that an eavesdropper 
finds it hard to factor a large number into the product of two primes. Security 
then has a finite lifetime, the factoring time. Although for matters of national 
security, such a cryptosystem is inappropriate, it is of considerable use to protect 
short-lived secrets. For instance if it is known that a hacker takes 20 years to 
find out a credit card number sent over the internet, one simply needs to issue 
new credit card numbers at least every 20 years. But it is not that simple. It 
may take 20 years running the best known algorithm on the fastest computer 
available today to break the code, but this could change overnight. The problem 
with relying on a task such as factoring is that no one actually knows how hard 
it is. In some sense, we believe it is secure because very clever people have spent 
large amounts of time trying to find a fast factoring algorithm implementable 
on today's computers, and have failed. More alarmingly, we actually know of a 
factoring algorithm that works efficiently on a quantum computer. We are then 
relying for security on no one having successfully built such a computer. Perhaps 
one already exists in the depths of some shady government organization. There 
are bigger secrets than one's credit card numbers, and for these, we cannot risk 
such possibilities. 

As we have mentioned, a quantum computer can efficiently break the cryp- 
tosystems we use today. Quantum technology also allows us to build cryptosys- 
tems with improved power, and in fact such that they are provably unbreakable 
within our assumptions. The usefulness of quantum mechanics in cryptography 
went un-noticed for many years. Wiesner made the first step in 1970 in a work 
that remained unpublished until 1983. In 1984, Bennett and Brassard extended 
Wiesner's idea to introduce the most notorious utilization of quantum mechanics 
in cryptography - quantum key distribution. This allows a key to be generated 
remotely between two parties with unconditional security, thus circumventing 
the problem of securely storing a long key. The principle behind Bennett and 
Brassard's scheme is that measuring a quantum state necessarily disturbs it. If 
an eavesdropper tries to tap their quantum channel, Alice and Bob can detect 
this. If a disturbance is detected, they simply throw away their key and start 
again. Any information Eve gained on the key is useless to her since this key will 
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be discarded. Alice and Bob can then be assured of their privacy. Remote key 
distribution is impossible classically, hence quantum mechanics is, at least in this 
respect, a cryptographically more powerful theory. 

Other cryptographic primitives have been applied to the quantum setting. 
These so-called post cold war applications focus on exchange of information be- 
tween potentially mistrustful parties. Multiple parties wish to protect their own 
data (perhaps only temporarily) while using it in some protocol. Bit commitment 
is one such example. In an everyday analogy of this primitive, Alice writes a bit 
on a piece of paper and locks it in a safe. She sends the safe to Bob, but keeps the 
key. At some later time Alice can unveil the bit to Bob by sending him the key, 
thus proving that she was committed to the bit all along. Of course, this scheme 
is not fundamentally secure — it relies on unproven assumptions about the size of 
sledgehammer available to Bob. Mayers, Lo and Chau showed that a large class 
of quantum bit commitment schemes are impossible. This cast major doubt on 
the possible success of other such primitives, but all was not lost. In 1999, Kent 
noticed that exploiting another physical theory might rescue the situation. (He 
was not in fact the first to consider using this theory, but seems to be the first 
to obtain a working result.) Special relativitjo demands that information does 
not travel faster than the speed of light. The essence of its usefulness is that in 
a relativistic protocol, we can demand that certain messages be sent simultane- 
ously by different parties. The receipt times can then be used to guarantee that 
these messages were generated independently. Coin tossing, for example becomes 
very straightforward. Alice and Bob simply simultaneously send one another a 
random bit. If the bits are equal, they assign heads, if different, they assign tails. 
Relativistic protocols have been developed to realise bit commitment with, at 
present, conjectured security. 



1.2 Synopsis 

This thesis is divided into five chapters. 

1 Strictly, special relativity and the assumption of causality. 



3 



1.2 Synopsis 



Introduction : The remainder of this chapter is used to introduce several 
concepts that will be important throughout the thesis. We discuss quantum key 
distribution, and in particular the use and security of universal hash functions 
as randomness extractors in privacy amplification. We introduce types of secu- 
rity, and discuss the assumptions underlying the standard cryptographic model, 
before describing the general physical frameworks in which our protocols will be 
constructed. Finally, we describe some important cryptographic primitives. 

The Power Of The Theory — Strong Coin Tossing: We introduce the 
task of strong coin tossing and use it to highlight the fact that different physical 
theories generate different amounts of power in cryptography. Our contribution 
here is a new protocol applicable in the non-relativistic quantum case. It equals 
the best known bias to date for such protocols, but does so using a conceptually 
different technique to that of protocols found in the literature. It provides a 
further example of the use of entanglement as a resource. Our protocol, Protocol 



I2.2[ an d an analysis of its security has appeared in |1| 

Variable Bias Coin Tossing: In this chapter we divide secure two-party 
computations into several classes before showing that a particular class is achiev- 
able using a quantum relativistic protocol. The simplest non-trivial computation 
in this class, a variable bias coin toss, will be discussed in detail. Such tasks have 
not been considered in the literature to date, so this chapter describes a new 
positive result in cryptography. We prove that this task can be achieved with 
unconditional security for a specified range of biases, and with cheat-evident se- 
curity for any bias. We also discuss two further protocols which are conjectured to 



be unconditional 
has appeared in 



y secure for any bias. Most of the work covered by this chapter 

i. 



Secure Two-Party Computation: In this chapter, we study the re- 
maining classes of two-party computation for which, prior to our work, neither 
protocols nor no-go theorems were known. We set up a general model for such 
computations, before giving a cheating attack which shows that a wide range of 
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functions within these classes are impossible to compute securely. The culmina- 
tion of these results is given in Table PQ] (see page 1101]) . A publication on these 
results is in preparation. 

Randomness Expansion Under Relaxed Cryptographic Assumptions: 

In the final chapter, we discuss a cryptographic task, expanding a private random 
string, while relaxing the standard assumption that each party trusts all of the 
devices in their laboratory. Specifically, we assume that all quantum devices are 
provided by a malicious supplier. We give two protocols that are conjectured 
to securely perform this task. The first allows a private random string to be 
expanded by a finite amount, while the second generates an arbitrarily large ex- 
pansion of such a string. Constructing formal security proofs for our protocols is 
currently under investigation. 

1.3 Preliminaries 

The reader well versed in quantum information theory notions can skip this sec- 
tion; for the non-specialist reader, we provide an outline of some of the aspects 
that we draw upon regularly in the forthcoming chapters. 

1.3.1 Local Operations 

We will often talk of local operations. These describe any operation that a party 
can do on the part of the system they hold locally, as dictated by the laws of 
physics (specifically quantum mechanics). For quantum systems, these fall into 
three classes: altering the size of the system, performing unitary operations, and 
performing measurements. A local operation can comprise any combination of 
these. 

System Size Alteration : This is operationally trivial. A system can 
be enlarged simply by combining it with another system, and contracted by dis- 
carding the other system. When systems are enlarged, the combined system then 
lives in the tensor product of the spaces of the original systems, and its state is 
given by the tensor product of the states of the two individual systems, which we 
denote with the symbol (g). 
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Unitary Operations : These are implemented by applying some Hamil- 
tonian to the system in question, for example by placing it in an external field. 
The system's dynamics follow that of the time-dependent Schrodinger equation. 
This defines a unitary operation on the Hilbert space of the system. In theory, 
any unitary can be enacted on the system by varying external fields appropri- 
ately, and applying them for the correct time periods. However, technologically, 
this represents a considerable challenge. 

Measurement : The most general type of measurement that one needs 
to consider is a projective measurement. Such a measurement is defined by a set 
of operators, {H} with the property that nf = H, and H = 1, the identity 
operator. The postulates of quantum mechanics demand the outcome of such a 
measurement on a system in state p to be i with probability tr(ITp), and that 
the subsequent state of the system on measuring i is . 

While this is the most general type of measurement we need, it will often 
be convenient to use the positive operator valued measure (POVM) formalism, 
whereby a measurement is defined by a set of positive operators {Ei} which obey 
£\ Ei = 1. An outcome i leaves the state of the system as and occurs 

with probability tr(Eip). 

Any POVM can be realized as the combination of an enlargement of the sys- 
tem, a unitary operation, and projective measurement (this result is often called 
Neumark's theorem 3J]). The following is equivalent to performing the POVM 
with elements {Ei} on a system in state p: Introduce an ancilla in state 10), and 
perform the unitary operation, U, given by U |0) \ip) = ^(Icgii/^) \i) ['0)13- Then 
measure the projector onto {|i)(z|<g)lL} generating the state, ( ^ ® v 7 ^) ^ ^ ( ^ ® 
with probability tr(Eip). On discarding the ancillary system, this operation is 
equivalent to that of the POVM. 

Any combination of these operations forms what we term a local operation. 
It is easy to verify that any large sequence of such operations can be reduced to 
at most 4 steps: First, the system is enlarged, then it is measured, then a unitary 



2 This unitary is only partially specified, since we have only defined its operation when the 
first register is in the state |0). However, it is easily extended to a unitary over the entire space 
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operation is performed on it (possibly one that depends on the result), and finally 
part of the system is discarded (again, possibly depending on the result). 

Local operations have the property that for a system comprising subsystems 
Q and R, no local operation on Q can be used to affect the outcome probabilities 
of any measurement on system R, even if the two systems are entangled. This 
property means that quantum theory does not permit superluminal signalling. 

Another important property of local operations is that on average they cannot 
increase entanglement between separated subsystems 

1.3.1.1 Keeping Measurements Quantum 

Rather than perform a measurement as prescribed by a protocol, it turns out that 
one can instead introduce an ancillary register, and perform a controlled NOT 
between the system that was to be measured and this ancilla. The additional 
register in effect stores the result of the measurement, such that if it is later 
measured, the entire system collapses to that which would have been present if the 
measurement had been performed as the protocol prescribed. This result holds 
for any sequence of operations that occur on the system in the time between the 
controlled operation and the measurement on the ancilla. If one of these further 
operations should be dependent on the measurement outcome, then, instead, a 
controlled operation is performed with the outcome register as the control bit. 
The process of delaying a measurement in this way is often referred to as "keeping 
the measurement quantum" . Figure 11.11 illustrates this procedure. 



1.3.2 Distinguishing Quantum States 

The problem of how best to distinguish quantum states dates back several decades. 
For a good account see for example 

Alice is to prepare a state p G {po, Pi, ■ ■ ■ p n -i} and send it to Bob. She 
is to choose pi with probability rji- Bob, who knows the identity of the states 
{p , pi, . . . Pn-i} and their probability distribution, is required to guess the value 
of i by performing any operations of his choice on p. It is well known that 
Bob cannot guess the value of i with guaranteed success, unless the states are 
orthogonal. 
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probability jaj^ |Q) ^^^^ 



(a|0) + 6|l» 



probability |6|' 



(a) 



>|1) 1^)^^(11)1^)) 



{a |0) |^> \0) A + 6 |1) |^> \1) A ) r tmned N ° T (a |0) + b |1» |^> |0) A 



C/o®|0)(0U + C/K8)|l)(lU 



o!7o(|0> |^» |0> A + fo[/ 1 (|l)|V))|l), 



probability |a|' 



probability |6| ! 



> LT (|0> 10), 



>^i(|l)|V»|l>, 



(b) 



Figure 1.1: Sequence of operations for the implementation of a measurement in 
the z basis on the first part of a state followed by a two-qubit unitary dependent 
on the outcome in the ) where the measurement is performed explicitly, 

and (b) where the measurement is kept at the quantum level until the end. In 
the latter case an ancillary system indexed by A has been introduced, and the 
unitary operation is now controlled on this system. Note that the end result is 
the same in both cases. 
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There are two flavours to this problem. One, sometimes called quantum hy- 
pothesis testing, involves maximizing the probability of guessing the state cor- 
rectly. The other, unambiguous state discrimination, seeks to never make an 
error. This can be achieved only if the states to be distinguished are linearly in- 
dependent, and at the expense that (unless the states are orthogonal) sometimes 
an inconclusive outcome will be returned. It is the first of these two problems 
that will be relevant to us. 

It follows from the discussion of local operations in the previous section, and 
the fact that we don't need the system after the measurement that it is sufficient 
for Bob to simply do a POVM on p. This POVM should have n outcomes, with 
outcome % corresponding to a best guess of Alice's preparation being The 
task is to maximize 

J^vMEiPi) (1.1) 

i 

over all POVMs {£;}. 

In general, it is not known how to obtain an analytic solution to this problem 
j^J, although numerical techniques have been developed jsj. However, a solution 
is known for the case n = 2. In Appendix |A] we give a proof that in this case, the 
maximum probability is ~ (1 + tr l^oPo ~ ^lPil) m ■ ^ n the case Vo — Vi — §> this 
expression is usually written as |(1 + D(p ,px)), where D(p ,px) = |tr|p _ Pi\ 
is the trace distance between the two density matrices. 

Other cases for which analytic results are known involve cases where the set 
of states to be distinguished are symmetric and occur with a uniform probability 
distribution. In such cases, the so-called square root measurement is optimal 

qJ. Another result that we will find useful is the following theorem. 



3 It is clear that we can always put the optimal strategy in this form. For a general POVM, 
each element can be associated with a state that is the best guess for the outcome corresponding 
to that element. If two elements have the same best guess, we can combine their POVM 
elements by addition to give a new POVM. This generates a POVM with at most n outcomes. 
If there are fewer than n, then we can always pad the POVM with zero operators. A simple 
relabelling then ensures that outcome i corresponds to a best guess of pi. 

4 This is a generalization of the classical distance between probability distributions, for which 
we also use the symbol D, see Section [TT71 
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Theorem 1.1. In] Consider using a set of M measurement operators, 

{Ej}, to discriminate between a set of M states, {pj}, which occur with prior 
probabilities, {r/j}, where the outcome corresponding to operator Ej indicates that 
the best guess of the state is pj. The set {Ej} is optimal if and only if 



E o (VjPj ~ ViPi) Ei = 
^EjijjPj - rjipi > V/. 



;i.2) 

1.3) 



1.3.3 Entanglement, Bell's Theorem And Non-locality 

The title of this section could easily be that of a book. A wealth of previous 
research exists in this area, and a number of debates still rage about the true 
nature of non-locality; some of which date back to the famous Einstein- Podolsky- 
Rosen paper of 1935 or even before. There is no evidence to date that 
contradicts the predictions of quantum theory, but some find its philosophical 
consequences so outrageous that they seek alternative theories that are more 
closely aligned with what is ultimately their own beliefs. Furthermore, there 
exist experimental loopholes which sustain the belief that quantum theory could 
be locafl In this section I briefly discuss some aspects of what is often referred 
to as quantum non-locality. 

The term entanglement describes the property of particles that leads to their 
behaviour being linked even if they have a large separation. Consider a pair 
of electrons created in a process which guarantees that their spins are opposite. 
According to quantum theory, until such a time that a measurement is made, the 
state of the entire system is ^= (Iti-U) + |4it2})- Measuring either particle in the 
{t, 1} basis causes the state of the entire two particle system to collapse to either 
\t1l2) or H1T2) with probability half each. What is philosophically challenging 
about this is that measuring the first particle affects the properties of the second 
particle instantaneously. If one were to perform the experiment, the natural 
conclusion would be that each particle was assigned to be in either the |t) or \\) 
state when they were created, and hence such results are not at all surprising: we 



3 No experiment to date has properly ensured space-like separation of measurements. 
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simply didn't know how the state was assigned until the measurement. A famous 



analogy is that of Bertlmann's socks 13| . Which colour he wears on a particular 



day is unpredictable, but his socks are never coloured the same. On seeing that 
his right sock is pink, instantaneously one knows that his left is not. Based on 
this experiment alone, both hypotheses are tenable. 

It was Bell who realized a way in which these hypotheses can be distinguished 



131 ] . He developed an inequality that any local realistic theory must obejo, before 
showing that suitable entangled quantum systems can violate this. The most com- 
mon recasting of his ideas is the CHSH inequality (named after Clauser, Home, 
Shimony and Holt). Consider the following abstract scenario. Two spatially sep- 
arated boxes each have two possible settings (inputs), and two possible outputs, 
+ 1 and —1. We label the inputs P and Q for each box, and use Pj G {1,-1} 
and Qi G {1,-1} to denote the output of the box for input P or Q respectively, 
with index % G {1,2} corresponding to the box to which we are referring. (In a 
quantum mechanical context, the inputs represent choices of measurement basis, 
and the outputs the measurement result.) The CHSH test involves the quantity 
(P1P2 + P\Qi + Q\Pi — Q1Q2), where (X) denotes the expectation value of ran- 
dom variable X. The following theorem gives the limit of this quantity for local 
hidden variable theories. 

Theorem 1.2. There is no assignment of values {Pi, P2, Qi, Q2} G {±1, ±1, ±1, ±1} 
(and hence no local hidden variable theory), for which (P1P2 + P1Q2 + Q\Pi — 
Q1Q2) > 2 

Nevertheless, values as high as 2-^/2 are possible using quantum systems (l^ ] 
although these fall short of the maximum algebraic limit of 4. The achievability 



of 2\/2 rules out the possibility of a local hidden variable theory; 



or explaining the 
- Il7l ] for discussions). 



data (modulo a few remaining loopholes, see for example |15 
A non-local but realistic theory can evade the theorem by allowing the value of 
quantities defined on one particle to change when a measurement is made on 
another, no matter how separated the particles are. It is not straightforward to 
drop the realistic assumption while keeping the theory local, since the concept of 



6 A local theory is one in which no influence can travel faster than light; a realistic theory is 
one in which values of quantities exist prior to being measured. 
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locality itself is inherently linked with realism. Hence it is common terminology 
in the literature to use the phrase "non-local effects" to allude to violations of 
Bell-type inequalities such as that of CHSH. 

1.3.4 Entropy Measures 

1.3.4.1 Random Events 

When we discuss random events, we assume that they occur according to a pre- 
defined ensemble of possible outcomes and their associated probabilities. Event 
X is a single instance drawn from the ensemble {1,2,...,|X|} with probabilities 
{P X (1),P X (2), P X (\X\)}. We call this probability distribution P x . The ter- 
minology X = x refers to a single instance drawn from this distribution taking 
the value x. One similarly defines distributions over more than one random vari- 
able. For instance, P X y is the joint distribution of X and Y, and P x \y= y is the 
distribution of X conditioned on the fact that Y takes value y. 

1.3.4.2 Shannon Entropy 



It was Shannon who pioneered the mathematical formulation of information 18]. 
In essence his insight was that an event that occurs with probability p could be 
associated with an amount of information — log p. Consider many independent 
repetitions of random event X. The average information revealed by each instance 
of X is given by the Shannon entropy of X defined as follows. 

Definition 1.1. The Shannon entropy associated with an event x drawn from 
random distribution X is H(X) = J2 X&X —Px(x) \ogP x (x). 

Likewise, one can define conditional Shannon entropies. H(X\Y = y) de- 
notes the Shannon entropy of X given Y. It measures the average amount of 
information one learns from a single instance of X if one possesses string y G Y, 
where X, Y are chosen according to joint distribution P X y. One can average this 
quantity to form H(X\Y), the conditional Shannon entropy. 



7 In information theory, as in this thesis, all logarithms are taken in base 2 and hence entropies 
and related quantities are measured in bits. 
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Definition 1.2. The conditional Shannon entropy of an event X given Y is 
defined by H(X\Y) = E x& x, y eY -Py(y)Px\Y= y (x) log P x \ Y=y (x). 

This leads one to define the mutual Shannon information between X and Y 
by /(X : Y) = H(X) - H(X\Y) = H(Y) - H(Y\X). In some sense, this is the 
amount of information in common to the two strings X and Y. 

Shannon information was first used to solve problems of compression, and 



communication over a noisy channel, as given in the following theorems 18|. 



Theorem 1.3. (Source coding theorem) Consider a source emitting independent 
and identically distributed (IID) random variables drawn from distribution Px- 
For any e > and R > H(X), there exists an encoder such that for sufficiently 
large N, any sequence drawn from can be compressed to length NR, and a 
decoder such that, except with probability < e, the original sequence can be restored 
from the compressed string. 

Furthermore, if one tries to compress the same source using R < H(X) bits 
per instance, it is virtually certain that information will be lost. 

Definition 1.3. For a discrete, memoryless channel, in which Alice sends a ran- 
dom variable drawn from X to Bob who receives Y, the channel capacity is defined 
by C = max Px I(X : Y). 

Theorem 1.4. (Noisy channel coding theorem) Consider Alice communicating 
with Bob via a discrete memoryless channel which has the property that if Alice 
draws from an IID source X , Bob receives Y . For any e > and R < C , for large 
enough N , there exists an encoding of length N and a decoder such that > RN 
bits of information are conveyed by the channel for each encoder-channel-decoder 
cycle, except with probability < e. 

Notice that in the noisy channel coding theorem, the channel is memoryless, 
and Alice has an IID source. In other words, all uses of the channel are indepen- 
dent of one another. This is the situation in which Shannon information is useful. 
However, in cryptographic scenarios where the channel may be controlled by an 
eavesdropper, such an assumption is not usually valid. Instead, other entropy 
measures have been developed that apply for these discussed in the next 

section. 
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The relative entropy, which is a measure of the closeness of two probability 
distributions, will also be of use. 

Definition 1.4. The relative entropy of Px and Qx is given by, 

H(p x \\Q x ) = Y, p xW h z7rr\- ( L4 ) 

x tyxyx) 
1.3.4.3 Beyond Shannon Entropy 

Renyi [19| introduced the following generalization of the Shannon entropy. 
Definition 1.5. The Renyi entropy of order a is defined by 

H a (X) = - J—togVP^)". (1.5) 
1 — a z — ' 

xex 

We have, Hi(X) = lim Q ^i H a (X) = H(X). Two other important cases are 
Ho(X) = log|X| and H^X) = — logmax xg x Px(x). A useful property is that, 
for a < 0, H Q (X) > Hp{X). 

H^X) is sometimes called the min-entropy of X. We will see that it is 
important for privacy amplification. There, the presence of an eavesdropper 
means that it no longer suffices to consider each use of the channel as independent. 
The min-entropy represents the maximum amount of information that could be 
learned from the event X, so describes the worst case scenario. In a cryptographic 
application, one wants to be assured security even in the worst case. 

In general, Renyi entropies are strongly discontinuous. |^| However, smoothed 
versions of these quantities have been introduced which remove such discontinu- 
ities. In essence, these smoothed quantities involve optimizing such quantities 
over a small region of probability space. They have operational significance in 
cryptography in that they provide the relevant quantities for information recon- 
ciliation and privacy amplification as will be discussed in Section 11.41 It will be 



8 Consider the two distributions Px and Qx defined on x £ {1, . . . , 2"}. Take Px(x = 1) = 
2~t, Px(x 7^ 1) = 1 ~ 1 2 _ 1 4 , and Qx to be the uniform distribution. Comparing min-entropics 
gives H^(X) — H^(X) = ^p. In the large n limit, the two distributions have distance w 2~t 
(see Definition 1 1.21 [I . which is exponentially small, while the difference in min-entropies becomes 
arbitrarily large. 
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the conditional versions of these entropies that concern us, hence we provide a 
definition of these directly. 

Definition 1.6. |20( For a distribution Pxy, and smoothing parameter e > 0, 
we define the following smoothed Renyi entropies: 

H e (X\Y) = minmaxlog|{x : P X n\Y= y {x) > 0}| (1.6) 
n y 

H^(X\Y) = max I -\ogmaxmaxP X n\Y= v (x) ) , (1.7) 
n y y x j 

where Q is a set of events with total probability at least 1 — e, and Pxn\Y=y(%) 
denotes the probability that X takes the value x, and event fl occurs given that 
Y takes the value y. 



More generally, the smooth Renyi entropy of order a can be defined 20J, but 
since, up to an additive constant these equal either Hq (for a < 1) or (for 
a > 1), we ignore such quantities in our discussion. It is also worth noting that 
for a large number of independent repetitions of the same experiment, the Renyi 
entropies tend to the Shannon entropy, that is, 

TTe I X n \V n \ 

li m li m t±°*± I 1 ) = H(X\Y). (1.8) 

e— >0n- s>oo fl 

1.3.4.4 Quantum Entropic Quantities 

The entropy of a quantum state, p, is commonly expressed using the von Neumann 
entropy, 

H(p) = -tr(plogp). (1.9) 

This is the quantum analogue of the Shannon entropy, and is equal to the Shannon 
entropy of the probability distribution formed if p is measured in its diagonal 
basis. Hence, if p is classical, that is p = J2 X Px(x)\x){x\, for some orthonormal 
basis, {|ar)}, then H(p) = H(X). 

In a similar way, one defines the quantum relative entropy between the states 
p and a by, 

H{p\\a) = tr(plogp) - tr(ploga). (1.10) 

This again reduces to the classical version if a and p have the same diagonal 
basis. It has the following important property 
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Theorem 1.5. (Klein's inequality) H(p\\a) > ; with equality if and only if 
p = a. 

The conditional von Neumann entropy can be defined 

H(pabWb) = - (p AB (log p AB - \ogt A <g> a B )) (1.11) 
= H(p AB ) - H{p B ) - H{p B \\a B ), (1.12) 

where p B = tiAPAB- We can also define a version for the extremal case o~b = Pb, 

H( Pab \B) = F(p AB |p B ). (1.13) 

Likewise, we define quantum min-entropies, 

Hoo(pa) = - logA max (p j4 ), (1.14) 
Hoo(pabWb) = -log A, (1.15) 
H^pabIB) ee minif 00 (p AB |cr B ), (1.16) 

where A max (p) is the largest eigenvalue of p, and A is the minimum real number 
such that Al^ <E> Ob — Pab > 0. 

Lemma 1.1. Consider the case where system A is classical, that is, pab = 
J2i ^M0K)(*l ® Pb- Bor such states, 

(a) H^pabIB) > 0, and 

(b) HooIpabIB) = if there exists some j such that p J B is not contained within 
the support of {p B }i^j- 

Proof. For a state of this form, XI a <E> o~b — Pab is block diagonal with block 
entries A Yli^j Pi(^)Pb + (A — I) Pi U)Pbi f° r some j- If A > 1, these are positive 
for all j, from which (jaj) then follows using the definition of H^IpabIB). 

In order that H^IpabIB) = 0, there must exist a j such that for all e = 
1 — A > 0, (1 — e)J2 if Lj Pi(i)p % B ~ e PiU)P 3 B i s negative. This implies that for 
some j, fP B is not contained within the support of {p l B }i^j, hence establishing 
(IB. Q£D 



9 Alternative definitions are sometimes given, e.g. in [4[, which do not contain the H(pb\\<tb) 
part [21] 
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Recall from Section 11.3.4.31 that the classical min-entropy can be associated 
with information content in the worst case scenario. The same is true here. 
In the extremal case, there exists some j such that p J B is not contained within 
the support of {Ps}i^j- Then there exists some measurement on system B for 
which at least one outcome identifies the state of system A precisely, and the 
corresponding min-entropy is 0. 

One can also define smoothed versions of these entropies. The e-smooth min- 
entropy of pab given a B is given by 

H^PabIctb) = min H^pabIctb) (1.17) 

PAB 

where the minimum is over the set of operators satisfying D(pab, Pab) < e , with 
tr{pAB) < 1- In other words, the smoothed version of the min-entropy is formed 
by considering density matrices close to pab- This is in direct analogy with 
the classical case, where nearby probability distributions were considered using 
parameter, Q. 
We also define 

HUpab\B) = min H^pabWb), (1.18) 
where we give the second Hilbert space of the system to the eavesdropper. 

1.4 Quantum Key Distribution 

Quantum key distribution is one of the big success stories of quantum informa- 
tion theory. It allows two separated agents, Alice and Bob, to generate a shared 
random string about which an eavesdropper, Eve, has no information. Such a 
random string can form the key bits of a one-time pad, for example, and hence 
allow secure communication between Alice and Bob. This task is known to be 
impossible classically, without making computational assumptions, and is histor- 
ically the first instance of a quantum protocol. Really the task should be called 
key expansion, since an initial shared random string is needed for authentication. 
We avoid this distinction by giving Alice and Bob shared authenticated classical 
channels (upon which Eve can only listen, but not modify), and a completely 
insecure quantum channel. 
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Eve can always perform a denial of service attack, blocking communication 
between Alice and Bob. However, we assume instead, that she wants to learn 
some part of their message. There are several steps common to most key distribu- 
tion protocols. Exchange of information over the insecure channel, reconciliation 
of this information (i.e. error correction) and then privacy amplification (i.e. re- 
ducing Eve's information to a negligible amount). 

Often, the quantum part of the protocol is restricted to the first step. A 
quantum channel is used to set up correlated random strings, after which classi- 
cal reconciliation and privacy amplification procedures are used. In essence, the 
security of the protocol relies on the fact that an eavesdropper can neither copy 
a quantum state, nor learn anything about it without disturbance. We will not 
discuss the alternative approach, where these latter procedures are also quan- 
tum, and at the end of the protocol Alice and Bob possess shared singlets. For 
concreteness, we now outline Bennett and Brassard's 1984 protocol, BB84. 

Protocol 1.1. Define 2 bases, S = {|0),|1)}, and Si = {|+) , |-)}, where 
|±) = ^(|0)±|1». 

1. Alice selects a set of bits uniformly at random, {xi}, along with a uniform 
random set of bases {Ai}, where x\ G {0, 1}, and G {2> , 2>i}. 

2. She encodes bit Xj using basis A iy where is encoded as |0) or |+), and we 
use |1) or |— } to encode 1. 

3. Alice sends the encoded qubits to Bob through the quantum channel. 

4. Bob selects a random set of bases {B^}, with Bi G {2> , 23i}, and measures 
the ith incoming qubit in basis Bi. 

5. Once Bob has made all his measurements, Alice announces the bases she 
used over the public channel, and Bob does the same. 

6. {sifting) Alice and Bob discard all the measurements made using different 
bases. On average half the number of qubits sent by Alice remain. In the 
absence of noise and an eavesdropper the leftover strings are identical. 
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7. Alice and Bob compare the values of a subset of their bits, selected at 
random. This allows them to estimate the error rate. If too high, they 
abort. 

8. Alice and Bob perform reconciliation and privacy amplification on the re- 
maining bits. 

1.4.1 Information Reconciliation 

Information reconciliation is error correction. In essence, Alice wants to send 
error correction information to Bob so that he can make his partially correlated 
string identical to hers. Since this information will be sent over a public channel 
on which Eve has full access, Alice wishes to minimize the error correction infor- 
mation at the same time as providing a low probability of non-matching strings 
in the result. 

The task of information reconciliation can be stated as follows. Alice has 
string X and Bob Y, these being chosen with joint distribution Pxy- Alice also 
possesses some additional independent random string R. What is the minimum 
length of string S = f(X, R) that Alice can compute such that X is uniquely 
obtainable by Bob using Y, S and R, except with probability less than e? 

In [2d] , this quantity is denoted H* nc (X\Y) and is tightly bounded by the 



relation 

H*(X\Y) < Hl nc {X\Y) < H?{X\Y) +log-, (1.19) 

^2 

where e± + €2 = e. 

It is intuitively clear why Hq(X\Y) is the correct quantity. Recall the defini- 
tion (HIS]) 

H £ (X\Y) = minmaxlog \{x : P X n\Y= y {x) > 0}|, 
n y 

where Q is a set of events with total probability at least 1 — e. The size of the set 
of strings x that could have generated Y = y given Q is \{x : Pxn\Y=y(x) > 0}|. 
Alice's additional information needs to point to one of these. It hence requires 
log \ {x : Pxn\Y= y (x) > 0}| bits to encode. Since Alice does not know y, she must 
assume the worst, hence we maximize on y. Furthermore, since some error is 
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Figure 1.2: Schematic showing information reconciliation. The release of S — 
f(X, R) reduces Bob's uncertainty on Alice's string, X, to a negligible amount. 



tolerable, we minimize on f2, by cutting away unlikely events from the probability 
distribution. 

1.4.2 Privacy Amplification 

In essence, this task seeks to find the maximum length of string Alice and Bob 
can form from their shared string such that Eve has no information on this string. 

This task can be stated more formally as follows. Alice possesses string X 
and Eve distributed according to Pxz- Alice also has some uncorrelated 
random string R. What is the maximum length of a binary string S = f(X, R), 
such that for a uniform random variable U that is independent of Y and R, we 
have S = U, except with probability less than e? 



This quantity, denoted H* xt (X\Z), has been bounded [20| as follows: 



H*{X\Z) -2\og-< Ht xt {X\Z) < H^(X\Z), (1.20) 

£2 



10 



For the moment we consider the case where Eve's information is classical. 
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where ei + e 2 = e. 

Let us give a brief intuition as to why this is the correct quantity. Recall the 
definition 



H^(X\Z) = max ( - log max max P X n\z=z(x) ) 
Given that she holds Z = z, the minimum amount of information Eve could 



tion in X that is independent of Z = z in the worst case. If we minimize this 
quantity on z, which corresponds to the worst possible case for Alice, we have 
— logmax 2 max x Px\z=z{x)- In many scenarios there is a small probability that 
an eavesdropper can guess Alice's string perfectly, in which case this quantity is 
zero. We hence maximize over sets of events Q that have total probability at least 
1 — e. This introduces some probability of error, but gives a significant increase 
in the size of the min-entropy over its non-smoothed counterpart. 

1.4.2.1 Extractors And universal Hashing 

Privacy amplification is often studied using the terminology of extractors. Roughly 
speaking, an extractor is a function that takes as input X, along with some 
additional uniformly distributed, and uncorrelated randomness, R, and returns 
S = f(X, R) that is almost uniformly distributed. For a strong extractor, we 
have the additional requirement that S is independent of R. After defining a dis- 
tance measure for classical probability distributions, we give a formal definition 
of a strong extractor. 

Definition 1.7. The classical distance^] between two probability distributions 
P and Q defined on the domain X is given by 



11 This is a special case of the trace distance defined in Section fl . 3 . 2 1 and hence we denote it 
by the same symbol, D. It is related to the maximum probability of successfully distinguishing 
the two distributions in the same way that the trace distance of two quantum states is related 
to the maximum probability of distinguishing them (cf. Appendix |A"]) . 




We can think of this as the informa- 
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Definition 1.8. Let U$ be the uniform distribution over the members of S. A 
strong (r, k, e)-extractor is a function that takes inputs X and R and returns 
S = f(X,R), where \S\ = 2 r , such that if H^X) > n, and R is uniformly 
distributed and independent of X, then D(Psr, Pu s Pr) < e, where Pjj s is the 
uniform distribution on S. 

A small distance, e, between two probability distributions is essentially the 
same as saying that the two distributions are equal, except with probab ility e. 



As an example of an extractor, consider a universal hash function [22. l23|. 



Definition 1.9. A set of hash functions, F from X to S is universal if, for 
any distinct X\ and £2 in X, then, for some function / 6 F picked uniformly at 
random, the probability that f(x\) = f{x2) is at most ™. 

We now show that this satisfies the necessary requirements for a strong ex- 
tractor. 

Consider some probability distribution Py on V, and take Uy to be the uni- 
form distribution over the same set. We have 



D(Py,P Uv ) = 



2 



Pv(v) - 



V v&V 1 1 



'1.221 



where we have used the Cauchy-Schwarz inequality. ^ Hence, the collision 
probability, PciY) = J2 v &v Pv( v ) 2 , i-e. the probability that two events each 
drawn from are identical, allows us to bound the distinguishability of Py 
from uniform. 

To show that a universal hash function is an extractor, we take V to be SR. 



12 The Cauchy-Schwarz inequality states that |x.y| 2 < |x| 2 |y| 2 . The version we use is for the 
case y=(l,l,..., 1). 
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We have 



Pc(SK) = P c (R)Pc(S) 



m( 2 ""' iX,+ wi)' (123) 



where the inequality follows from the definition of a universal hash function. 
Thus, using (ll.22p . we have 



d(p sr , p Us p r ) < yB 2 -iH 2( x)_ (L24) 

Since H 2 (X) > H^X), we have shown that a universal hash function is 
a strong (r, k, 1 2 ^ r_K ' ) ) -extractor. Alternatively, if we wish to use universal 
hashing, and have H^X) > k, then to ensure that the output is e-close to the 
uniform distribution, we can extract a string whose length is bounded by 

r<K-21og^. (1.25) 

The use of a hash function for privacy amplification is illustrated in Figure ll.3[ 
The drawback of universal hashing is that in order to pick a function ran- 
domly from the members of a universal set requires a long random string, R. 
Many universal classes require the string R to have length equal to that of the 
string being hashed, although more efficient classes are known for cases in which 



the final string is very short compared to the initial one 22|, |23| . For more general 
extractors, constructions which require a much shorter R are known (see 24j for 
a recent review). 

1.4.2.2 Privacy Amplification 

In the context of privacy amplification, there is additional information held by 
Eve. We denote this using the random variable Z. Again, Alice wants to compress 
her string, X, using public randomness^, R, to form S = f(X, R), such that 

D{P SR \z= z ,Pu s P R )<e. (1.26) 



13 Her randomness is public because she needs to send it to Bob in order that he can do the 
same. 
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Figure 1.3: Schematic showing privacy amplification of string X to form S using 
a universal hash function. 
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Consider applying the extractor property (see Definition II. 8p to the distri- 
bution Px\z=z- This gives that (I1.26P is satisfied for Hoo(X\Z = z) > k. 
As we showed in the previous section, the string can be compressed to length 
H ao (X\Z = z) — 2 log 7^. Alice does not know the value of this quantity, since 
she does not know z. However, the following lemma allows us to derive a useful 
bound. 

Lemma 1.2. For a non-negative random variable, x, —logo: > — log(x) — t, 
except with probability less than 2~* . 

Proof. The probability that — logx > — log(x) — t is the same as the probability 
that x > 2 t (x). Chebyshev's inequality then gives the resultf^l Q£D 



As a straightforward corollary to Lemma 11.21 we have H oa (X\Z = z) > 
i7oo(X|Z) — t, except with probability 2~', where the conditional min-entropy 
is defined by 

H^XIZ) = -log^P z {z)maxP X \ Z=z {x) (1.27) 

Hence, H co (X\Z) + loge bounds H^X^ = z), except with probability e. 

In summary, Alice and Bob, by exchanging R publicly, can compress their 
shared random string X which is correlated with a string Z held by Eve, to a 
string S of length roughly equal to H^^XlZ), which is essentially uncorrelated 
with Z and R. 

To gain an intuition about privacy amplification, it is helpful to consider an 
example. The set of all functions from k bits to r < k bits forms a universal 
set (albeit an extremely large one!). If one picks randomly from amongst this set, 
then (with high probability) the chosen function has the following property. If 
two strings are mapped under the chosen function, then the (Hamming) distance 
between the resulting strings is independent of that of the originals. Thus nearby 
strings are (with high probability) mapped to those which are not nearby. If Eve 
knows the original string, but with a few errors, then after it has been mapped, 
her error rate on the final string will likely be large. The probability of successful 



14 



Chebyshev's inequality states that for a non-negative random variable, a;, and positive a 



P(x > a) < — , and is straightforward to prove 
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amplification is bounded by the probability that Eve can guess the initial string, 
since if she guesses correctly, she can discover the final one with certainty. 

1.4.2.3 Significance Of Smoothed Entropies 

The bounds we have presented on the length of secure key we can extract are 
not tight. In Section fl.4.2^ we alluded to the fact that the length of extractable 
key is tightly bounded by smooth versions of the Renyi entropies (see Equation 
fll.20p ). We briefly explain why this is the case. Recall the definition in (I1.7P 

HL.iXlY) = max I - logmaxmax P X n\Y= v (x) , 
n y y x j 

where Q is a set of events with total probability at least 1 — e. 

The smooth entropy quantity is formed from the sharp version by cutting 
away small sections of the probability distribution, and hence only considering 
the events Q. Since the events cut away occur with probability at most e, there 
is only a small affect on the probability of error. This may lead to a significant 
change in the entropy quantity! 15 !, and hence a much larger key can be extracted 
than that implied by the sharp entropy quantity. 

1.4.2.4 Quantum Adversaries 

Everything we have discussed in this section so far has been with respect to an 
eavesdropper holding classical information (the string Z). More generally, and of 
particular relevance when discussing QKD, the eavesdropper may attack in such 
a way that at the end of the protocol she holds a quantum state that is correlated 
with Alice's string. 

Alice and Bob's procedure remains unchanged, so their final state at the end of 
the protocol (after privacy amplification) is classical, and corresponds to a string 
S. Eve, on the other hand, possesses a quantum system in Hilbert space "Ke- 
Like in the classical case, security is ensured by constraining the trace distance. 
We demand 

D(pse,Pu s ®Pe) < e, (1.28) 



15 See the discussion on the discontinuous nature of Renyi entropies in Section [1.3.4.31 
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where pu s denotes the maximally mixed state in "Kg- 

The trace distance cannot increase under trace-preserving quantum operations 
(i.e. unitary operations and alterations of system size), nor, on average, after 
measurements 0]. Hence, a key which satisfies ( I1.28P is secure in a composable 
manner. That is, the string S can be treated as random and uncorrelated with 
another system in any application, except with probability e. We need to show 
how to turn the string X, correlated with Eve's quantum system, into the string 
S which is virtually uncorrelated. It turns out that a universal hash function is 
suitable for this purpose, like in the classical case. 

Including the classical spaces used to define the string X and the random 
string, R, used to choose the hash function, the state of the system is 

PXER = (PR(r)Px{x)\x)(x\ ®p x E ® \r)(r\) . (1.29) 

Having applied the hash function / £ F, the state becomes 

PSER = E (PR(r)Ps(s)\s)(s\ S P S E <8> \r)(r\) , (1.30) 
reR s&S 

where p s E = Ylxef- 1 ^) Pe- Ideally, the state of the system in "Kg would look 
uniform from Eve's point of view, even if she was to learn R. The variation from 
this ideal can be expressed in terms of the trace distance, D(ps E R, Pu s ® Per), 



and is bounded in the following theorem [21]. 



Theorem 1.6. // / is chosen amongst a universal set of hash functions, F , 
using random string R, and is used to map X to S as described above, then for 
\S\ = 2 T , we have 

D(pser,Pu s ®Per) < I 2 ^CMp*^)-). (1.31) 

Hence, like in the classical case, Alice and Bob can exchange a random string, 
R, publicly in order to compress their shared random string, X, which is partly 
correlated with a quantum system held by Eve to a string S of length roughly 
equal to H oq (pxe\E), which is essentially uncorrelated with Eve's system and 
with R. 
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A similar relation in terms of the smoothed version of the quantum min 



entropy (see Equation fll.ISp ) provides a better bound on the key length 21]. 
Specifically, Equation (11.3ip in Theorem 11.61 is replaced by 

D(pser,Pu s ®Per) < e + ^-^-^l^). (1.32) 

Other extractors more efficient in the length of random string required are 
known (see, for example 26j], for ones that require order logn bits to compress 
an n bit string.) However, these extractors have not been proven to be secure 
against quantum attacks, and hence we choose not to use them in this thesis. 

Note that privacy amplification using universal hash functions has certain 
composability properties. That the final string produced looks uniform to Eve, 
means that even if all but one of the bits of the string are revealed, the final bit 
remains uniformly distributed from Eve's perspective. 

1.5 Types Of Security 

We outline here the various types of security to which we will refer: 

1. Unconditional Security: Here the security relies only on the laws of 
physics being correct and applies even again st a cheater with unlimited 



computational power (see for example |27H29||). A party can always cause 
the protocol to abort, but can never achieve any useful gain (i.e. can never 
discover any private information, or affect the outcome of the protocol). 



2. Cheat-evident Security 0, 30]: The protocol 



is insecure m some 



way, but any useful cheating attack will be detected with certainty. 



Cheat-sensitive Security [j3Xl— t33f| : The protocol has the property 



whereby any useful cheating attack by one party gives that party a non- 
zero probability of being detected. 

Technological Security: Also known as computational security in many 
contexts, although technological security subsumes computational security. 
Assuming something about the technological (computational) power of the 
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adversary, they have no useful cheating attack. However, its security will 
cease if the technological power increases or when a slow algorithm has 
cracked the code. Users of RSA, for instance, are only offered temporary 
security: our best algorithms take several years to factor an appropriately- 
sized product of prime numbers, and if a quantum computer can be built, 
much less. 

Let us briefly describe what we mean by useful cheating. We do not demand 
our protocols prevent any kind of deviation, rather we require that all deviations 
are useless, in the sense that they do not give the deviating party any private 
information, or allow that party to influence the outcome of the task. For in- 
stance, in any protocol, either party can always declare abort at any stage. We 
do not consider this to be a problem, unless at the time of abortion, some private 
information has been gleaned. 

If we are happy with technological security, then much in the way of secure 
multi-party computation has been accomplished. Kilian has shown that (at least 
classically) oblivious transfer (described in Section |TT8|) can be used to implement 



any two-party secure computation 34[. Since oblivious transfer protocols based 



on computational assumptions exist (see for example [35]), we can generate tech- 
nologically secure protocols for two-party secure computations in the classical 
world. 

Unconditional security is the holy grail of the field, and is the strongest type 



of security we could hope for, although, as we point out in Section II. 6| there 
are always additional assumptions involved. In many situations, cheat-evident 
security will suffice. This will be the case when being caught cheating accrues 
a large penalty. Consider the case of a bank engaging in a protocol with one of 
its clients. If the client catches the bank cheating, the resulting media scandal 
will certainly be detrimental for the bank, while the bank who catches its client 
cheating can impose some large fine. If the penalties are high enough, cheat- 
sensitive security could be sufficient to prevent a party from cheating. 

In general, when discussing specific protocols, we will find that they may have 
one or more security parameters, {N±, . . . , N r }. A protocol is said to be perfectly 
secure if there exist fixed, finite values of the {Ni} for which the security conditions 
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relevant to the protocol hold. In practice, we will tolerate some (sufficiently small) 
probability of failure. We say that a protocol is secure if the security conditions 
become increasingly close to holding as the {iVj} tend to infinity. This means 
that, for any non-zero failure probability sought, there exist a set of values for 
the security parameters for which the protocol achieves this failure rate. 

1.6 The Setting 

In order to do cryptography, one has to set up a precise world in which actions 
take place. Such a world provides the framework in which one can make rigorous 
mathematical statements, and hence prove results about security. The actual 
security we can achieve in practice depends on how closely the actual environment 
in which we perform our protocol resembles our mathematically defined world. 
Ideally the two would coincide. In general though, we will introduce assumptions 
in order to create a simple mathematical framework. 

The type of worlds that concern us will be distinguished as either relativistic, 
or non-relativistic (depending on whether we want to rely on the impossibility of 
super-luminal signalling for security), and either quantum or classical (depending 
on whether the users can create and manipulate quantum systems or not). Before 
discussing these distinctions, we give an overview of the set of assumptions that 
we will apply within all of our fictitious worlds. 

It is impossible to do cryptography without assumptions: the challenge is to 
see what can be done assuming as little as possible. The weaker the terms of 
our assumptions, the more powerful the result. Although some assumptions are 
unrealistic in their literal form, they are often sufficient for realistic purposes. 
Take for example the following: 

Assumption 1. Each party has complete trust in the security of their laboratory. 

By this we mean that nothing within their laboratories can be observed by 
outsiders. Without this assumption, cryptography is pointless, and yet no labo- 
ratory in the world will satisfy such a property. Can anyone really be sure that 
there isn't a microscopic camera flying around their lab, reporting back data to 
their adversaries? As a matter of principle any laboratory must be coupled to the 
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environment in some wajj^£, and this opens up a channel through which private 
information could flow. However, as a practical aside, most parties could set up 
a laboratory for which they would be happy that Assumption [T] holds to good 
enough approximation. In so doing, they are in essence making technological 
assumptions about their adversaries. 

No matter what the setting, we will always assume Assumption [TJ Then, 
when we talk about, for example, unconditional security, we implicitly mean un- 
conditional security given our assumptions or unconditional security within our 
model. This caveat does not allow us to turn technologically secure protocols into 
unconditionally secure ones by making appropriate assumptions. A technolog- 
ically secure protocol is always insecure from an information-theoretic point of 
view. For example, under the assumption that factoring is hard, we can say that 
the RSA cryptosystem is technologically secure, while without this assumption, 
it is insecure. 

In the spirit of making the result as powerful as possible, we will also make 
the following assumption: 

Assumption 2. Each party trusts nothing outside their own laboratory. 

In particular, this precludes the possibility of doing cryptography using a 
trusted third party, or a source of trusted noise (a situation in which many cryp- 



tographic tasks are known to be achievable 36N38|). 

If a protocol is secure under this assumption, then it is secure even if our 
adversaries can control the rest of the universe. In particular, we make no as- 
sumption about any other participants in the protocol. We allow for the possi- 
bility that they may have arbitrarily good technology, and arbitrarily powerful 
quantum computers. In addition, even if all the other players collude in the most 
appropriate way, the protocol must continue to protect any honest participants. 
We need not furnish such protection upon dishonest parties. 

We choose to perform our protocols within perfect environments, so that all 
communications are noiseless, all instruments operate perfectly, and additional 
parties make no attempt to interfere with any communications (but the parties 



16 Intcractions with a laboratory unable to exchange information with the outside world would 
be problematic! 
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with which we are trying to interact with might). We sum this up in the following 
assumption: 

Assumption 3. All communication channels and devices operate noiselessly. 

It is very convenient to make this assumption in cryptographic scenarios since 
it allows all errors that occur during the implementation of a protocol to be 
attributed to attacks by another party. In the real world, it will be necessary 
to drop this assumption, so proliferating the complications of otherwise much 
simpler protocols. This leads to a discussion of reliability. We say that a protocol 
is perfectly reliable if for some fixed finite values of the security parameters it 
has the property that if both parties are honest, the protocol succeeds without 
aborting. In the presence of noise, for finite values of the security parameters, 
there will always be some probability that an honest protocol aborts. The best 
we can hope for in such a situation is a reliable protocol, where, as the security 
parameters tend to infinity, the protocol tends towards perfect reliability. Given 
that we assume Assumption [3j we will always look for perfectly reliable protocols. 

In the future, one might anticipate quantum technology to have become as 
widespread as classical technology is today. Local hardware retailer might act 
as a supplies of basic components (unitary gates, measurement devices etc.). A 
cavalier supplier might sell faulty goods. A malicious supplier might sell devices 
that would give him or her crucial information in a subsequent protocol. The 
following assumption rids us of such considerations 

Assumption 4. Each party has complete knowledge of the operation of the de- 
vices they use to implement a protocol. 

Assumptions [TH3] will be implicitly assumed in the protocols discussed in this 
dissertation, unless otherwise stated. In particular, in Chapter [5] we discuss a task 
where we drop Assumption HI and assume instead that all of the devices used are 
sourced from a malicious supplier. Whether a particular set of assumptions are 
sufficiently accurate is ultimately a matter for the protocol's user. 
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1.7 Cryptographic Protocols 

A protocol is a series of instructions such that if each party follows the instructions 
precisely, a certain task is carried out. The protocol may permit certain parties 
to make inputs at various stages, and may allow them to call on random strings 
in their possession to make such inputs. If the protocol is complete, each party 
should have a specified response to cover any eventuality. 

Each party in a protocol has a set of systems on which they interact. Systems 
on which more than one party can interact form the channel, which, in the case 
of more than two parties, may have distinct parts. In general, the channel system 
may be intercepted by a malicious party at any time. One can always assume 
that the size of the channel system is fixed throughout the protocol. A protocol 
in which this is not the case can be transformed into one with this property by 
first enlarging the channel system by adding ancillary systems, then replacing any 
operations where a system is added to the channel by swap operations between 
the system to be added and an ancilla in the channel. 

1.7.1 Non-Relativist ic Protocols 

Non-relativistic protocols involve the exchange of classical or quantum informa- 
tion between parties whose locations are completely unconstrained. In such pro- 
tocols, there is a set order in which the communications occur, and such commu- 
nications may effectively be assumed instantaneous. No constraint is placed on 
the amount of time each party has to enact a given step of a protocol, and hence 
the surrounding spacetime in which the participants live is irrelevant. 

Consider as an illustration a two party protocol between Alice and Bob. Sup- 
pose that the first communication in the protocol is from Alice to Bob. We denote 
Alice's Hilbert space by "Ha, Bob's by CKg, an d the channel's by "Kq- Any two 
party protocol then has the following form. 

Protocol 1.2. 

1. Alice creates a state of her choice in DCi®^c an d Bob creates a state of his 
choice in [K^. We can assume that these states are pure, with each party 
enlarging their Hilbert space if required. 
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2. Alice sends the channel to Bob. 

3. Bob performs a unitary of his choice on "Kc <E> Hb- 

4. Bob sends the channel to Alice. 

5. Alice performs a unitary of her choice on "K^ ® 3^c- 

N. At the end of the protocol, both parties measure certain parts of their 
spaces. 

Note the following. It is sufficient for Alice and Bob to do unitaries on all 
systems in their possession at each step of the protocol. All system enlargement 
can be performed when creating the initial states in Step [H and all measurements 
can be kept at the quantum level until the end of the protocol (see Section 
11.3.1.11) . If we label the unitary operations U\, U2, ■ ■ ., then prior to measurement, 
the protocol has implemented the unitary ((Ui £g> 1b)($-a (g> U2) . . .) on the initial 
state. The measurement in Step N may be used both to check that the protocol 
took place correctly, and also to determine a classical output. This procedure is 
illustrated in Figure [T~4l 

A classical non-relativistic protocol is a special case in which all states are 
replaced by classical data, unitary operations are replaced by classical functions 
of such data, and we give each party private randomness^! 

1.7.2 Relativistic Protocols 

In this dissertation, we will assume that relativistic protocols take place in a 
Minkowski spacetime. For practical purposes this is an over-simplification. In 
a more general spacetime the participants could adopt the protocols we offer 
providing they are confident in their knowledge of the structure of the surrounding 
spacetime and how it changes during the protocol to sufficient precision. A secure 

17 In a quantum protocol, private randomness comes for free since either party can create a 
state for which measurement in the computational basis yields the desired probability distribu- 
tion. 
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Figure 1.4: Schematic of a non-relativist ic protocol between two parties. A rep- 
resents Alice's systems, B represents Bob's systems, and C is the channel. Alice 
and Bob alternately perform unitaries as the protocol proceeds. 
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protocol could be built along the lines of the ones we present provided that bounds 
on the minimum light travel times between sets of separated sites are known 
for the duration of the protocol. Any protocols carried out on Earth would 
certainly fit such a criteria. To avoid a more elaborate discussion, detracting 
from the important features of our protocols, we restrict to unalterable Minkowski 
spacetimes. For notational simplicity, we will also restrict our discussion to the 
two-party case in the remainder of this section. 

We use units in which the speed of light is unity and choose inertial coordi- 
nates, so that the minimum possible time for a light signal to go from one point 
in space to another is equal to their spatial separation. In a (two-party) rela- 
tivistic protocol, Alice and Bob are required to each set up laboratories within 
an agreed distance, 5, of two specified locations^, x_ x and x 2 . Their separation is 
denoted A = \x_ x — x 2 \ 3> 5. No restrictions are placed on the size and shape of 
the laboratories, except that they do not overlap. 

We refer to the laboratories in the vicinity of x { as A^ and B^ for % — 1 or 
2. We use the same labels for the agents (sentient or otherwise) assumed to be 
occupying these laboratories. A\ and A 2 operate with complete mutual trust and 
have completely prearranged agreements on how to proceed such that we identify 
them together simply as Alice; similarly B\ and B 2 are identified as Bob. This 



setup is shown schematically in Figure fT75l 

To ensure in advance that their clocks are synchronized and that their com- 
munication channels transmit at sufficiently near light speed, the parties may 
check that test signals sent out from each of Bob's laboratories receive a response 
within time Ad from Alice's neighbouring laboratory, and vice versa. However, 
the parties need not disclose the exact locations of their laboratories, or take it 
on trust that the other has set up laboratories in the stipulated regions (cf. As- 
sumption [2]) . (A protocol which required such trust would, of course, be fatally 
flawed.) Each party can verify that the other is not significantly deviating from 
the protocol by checking the times at which signals from the other party arrive. 
These arrival times, together with the times of their own transmissions, can be 
used to guarantee that particular specified pairs of signals, going from Alice to 



18 This discussion generalizes in an obvious way to cover protocols, which require Alice and 
Bob to control three or more separate sites. 
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Bob and from Bob to Alice, were generated independently. This guarantee is all 
that is required for security. 

We also assume that A\ and A 2 either have, or can securely generate, an 
indefinite string of random bits. This string is independently generated and 
identically distributed, with probability distribution defined by the protocol, and 
is denoted x = {x{\. Similarly, Bi and B 2 share a random string y = {yi\. 
These random strings will be used to make all random choices as required by the 
protocol: as A\ and A 2 , for instance, both possess the same string, x, they know 
the outcome of any random choices made during the protocol by the other. We 
also assume the existence of secure authenticated pairwise channels between the 
Ai and between the Bi. These channels are not necessarily unjammable, but if 
an honest party fails to receive the signals as required by a protocol, they abort. 
Alternatively, one can think of Alice and Bob as occupying very long laboratories, 
as depicted in Figure II .61 

A relativistic protocol will be defined within this framework by a prescribed 
schedule of exchanges of classical or quantum information between the various 
agents. In essence it involves two non-relativistic protocols, one played out at each 



19 Note that this is not an unreasonable assumption; these can easily be set up using the 
familiar QKD schemes, or simply by using the shared random strings as one-time pads, and in 
suitable authentication procedures. 
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Figure 1.6: Alternative setup for a relativistic protocol with two separated sites. 

of the separated locations. These protocols have a limited ability to communicate 
between one another. This generates a constraint on the unitaries that can be 
performed at various points in the protocol, since part of Alice's Hilbert space may 
be in the secure channel between Ai and A 2 , and hence temporarily inaccessible. 

In a brief excursion to the real world, we note that the relativistic setup we 
have described is not unrealistic. A±, A2, B\ and B2 need not be humans per- 
forming measurements by hand; rather they can be machines performing millions 
of operations per second. At a separation of just 3m, one has around 10ns to 
do operations. This, admittedly, is a little unrealistic for today's technology, but 
at 3km, we have roughly 10/is in which to act. Using an estimate of 10 8 gates 
per second, we can perform 10 3 operations in this time. We certainly do not 
need planetary separations for such schemes. There is also the matter of a trade- 
off between large distance and low noise, especially when considering quantum 
protocols, but because of Assumption [31 we will not be concerned by this. 

1.8 Cryptographic Primitives 

Three cryptographic primitives will be particularly relevant in this thesis: Coin 
tossing, oblivious transfer (OT) and bit commitment (BC). We give a brief out- 
line of these tasks here. 
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Coin tossing protocols aim to generate a uniform random bit that is shared by 
two parties in such a way that neither party can influence the bit's value. They 
will be discussed in detail in Chapter [2j 

OT comes in several flavours. In this thesis, we use OT to describe the 
following functionality. Alice sends a bit to Bob, either 1 or 0. Bob either learns 
Alice's bit, or he learns nothing, each with probability |. Alice does not learn 
whether Bob received her bit or not. It turns out that this task is sufficient to 
allow any secure multi-party computation 34J. Hence, OT is in some sense the 
holy grail of the field. However, it is known that OT is impossible 29]. We give 
a proof of this in Section 14.4.31 

BC is another important cryptographic primitive. A BC protocol involves two 
steps. In the first step, one party commits to a bit. In the second, which occurs 
at some later time chosen by the committer, this bit is revealed to a second party. 
Before revelation, the second party is oblivious to the value of the bit, while the 
first is unable to alter its value. One flavour of BC can be used to build a protocol 
for OT 39]. A BC of this type is im pos sible to construct, even in a relativistic 



world (the Mayers-Lo-Chau argument 28|, |40| for non- relativistic protocols is easy 



to extend). Nevertheless, Kent has shown that a slightly different flavour of BC is 



possible in a classical, relativistic world 27], |4l|. He further conjectures that this 



protocol remains secure in a quantum world, against the most general quantum 
attack, but presently this is unproven. 

We will not go into the range of subtleties surrounding the various types of BC 
(the interested reader should refer to {27] for a longer discussion). Here we simply 
point out that Kent's BC schemes require sustained communications in order to 
maintain the commitment, and that they have the property of retractability, that 
is the party making the commitment can get their committed state returned if 
they later decide not to follow through with the unveiling. This latter feature is 
what scuppers the use of relativistic bit commitment (RBC) schemes for building 
Yao's OT scheme 



27, 



39]. 



We will use RBC as a subprotocol in some of the schemes we later discuss, so, 
for completeness, we outline a protocol for its implementation here. We choose 
the simplest of Kent's schemes, RBC1, in the case where Alice commits a bit to 
Bob: 
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Protocol 1.3. (RBC1) 

1. B\ sends to A\ an ordered pair, (rii,o,^i,i) of random non-equal integers. 
These, along with all other integers used in the protocol, will be in the set 
{0, . . . , N — 1}, and all arithmetic performed is modulo N = 2 P , for integer 
V- 

2. To commit to bit b, Ai returns + mi to B]_. 

3. To sustain the commitment, A 2 commits the binary form a p _ 1 , a*_ 2 , . . . , a\ 
of mi to Bi, by having B x send the random integer pairs (n 2i0 , 712,1), ( n 3,o, n 3,i)j 
. . . , (n p+ i !0 ,n p+1 1), and returning the set n 2 1 + m 2 , n 3a i + m 3 , . . . , 

n p+l,al + m p+l- 

4. This procedure then iterates, with A\ committing the binary form of m,2, • • • , 
m p+ i to B\ in an analogous way. 

At some later time, Alice can unveil on either or both sides. For A\ to unveil, 
she sends to B\ the list of random numbers, {mj}, used by A 2 in her last set of 
commitments. (A\ knows these because they were generated using the shared 
random sting x.) Bi receives this list at such time that he can ensure they 
were sent in a causally disconnected manner to the receipt of the random pairs 
{(77,^0,77.^1)} by A 2 . B\ and B 2 can then share all their data, and verify that it 
did correspond to a valid commitment of either or 1. 

This protocol has the undesirable feature that it requires an exponentially 
increasing rate of communication. However, Kent has also introduced a second 
protocol, RBC2 which combines RBC1 with a scheme due to Rudich, in order to 
achieve RBC with a constant transmission rate. The full details of this scheme 



can be found in 



27| . and are not presented in this thesis. 
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The Power Of The Theory - 
Strong Coin Tossing 

"A theory is acceptable to us only if it is beautiful" - Albert Einstein 

2.1 Introduction 

Landauer's often quoted doctrine, "information is physical" succinctly expresses 
the fact that what can and cannot be done in terms of information processing 
is fundamentally dictated by physics. Information processing is performed by 
physical machines (abacuses, computers, human beings, etc.), and the power 
of these limits the information processing power. In light of the above, it is 
not of great surprise that new physical theories lead to changes in information 
processing power. Historically, though, more than 50 years elapsed between the 
development of quantum theory and the realization that it offers an increase in 
information processing power. This delay can surely be attributed, at least in 
part, to the failure of both physicists and information theorists to recognize the 
physical nature of information. 

In this chapter, we illustrate the role of the physical theory in information 
processing power. We consider theories that are either quantum or classical, 
and are either relativistic or not. The relevance of the different theories for the 
construction of protocols has been described in Section 11.71 Here we give specific 
examples. As a focus for our discussion we use one of the simplest cryptographic 
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tasks: strong coin tossing. A classical non-relativistic theory cannot realize this 
task to any extent. Introducing quantum mechanics allows protocols with partial 
security, while relativistic protocols can realize the task perfectly. 

Informally, a coin tossing protocol seeks to allow two separated parties to 
exchange information in such a way that they generate a shared random bit. The 
bit is random in the sense that (ideally) or 1 occur with probability | each, and 
neither party can increase the probability of either outcome by any method. In 
many physical models, this ideal cannot be achieved. In such cases one weakens 
the requirements of the protocol. It is demanded that if both participants are 
honest, the outcome is or 1 with probability \ each. A protocol is then given a 
figure of merit in terms of the maximum cheating probability a dishonest party 
can achieve against an honest party. The quantity often used is the bias, the 
deviation of the maximum cheating probability from |. A strong coin tossing 
protocol seeks to protect an honest party from a dishonest party whose direction 
of bias is unknown, while a weak coin toss seeks to protect an honest party only 
against the dishonest party biasing towards one particular outcome. Commonly, 
coin tosses are of the latter form (e.g. Alice and Bob, having recently divorced, 
want to decide who keeps the car). Strong coin tosses are relevant in situations 
where there is knowledge asymmetry between the parties, so that it is not clear to 
one which way the other wishes to bias (e.g. Alice knows whether the car works 
but Bob does not). 

In the next sections, we give formal definitions of the relevant coin tossing 
tasks before discussing how well they can be achieved in the various physical 
models of interest. Our contribution in this area is Protocol 12. 2\ for which no 
protocols are known with a better bias. 

2.2 Definitions 

In a coin tossing protocol, two separated and mistrustful parties, Alice and Bob, 
wish to generate a shared random bit. We consider a model in which they do not 
initially share any resources, but have access to trusted laboratories containing 
trusted error-free apparatus for creating and manipulating quantum states (cf. 
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Assumptions dHl]) . In general, a protocol for this task may be defined to include 
one or more security parameters, which we denote N±, . . . , N r . 

If both parties are honest, a coin tossing protocol guarantees that they are 
returned the same outcome, 6 G {0, 1} where outcome b occurs with probability 
| + Cb(Ni, . . . , N r ), or "abort" which occurs with probability £2(^1, . . . , N r ), and 
for each j G {0,1,2}, Q(N\, . . . , N r ) — > as the Ni — > oo. The bias of the 
protocol towards party P G {A, B} is denoted ep = max (e P ,ep), where P can 
deviate from the protocol in such a way as to convince the other (honest) party 
that the outcome is b with probability at most ■= + e b p + 5 P (Ni, . . . , N r ), and the 
S P (Ni, . . . , N r ) — > as the Ni — > oo. We make no requirements of the protocol 
in the case where both parties cheat. 

The bias of the protocol is defined to be max(e J 4, e#). A protocol is said to be 
balanced if e b A = e b B , for 6 = and 6=1. 

We define the following types of coin tossing: 

Definition 2.1. (Ideal Coin Tossing) A coin tossing protocol is ideal if it 

has €a = e_B = 0, that is, no matter what one party does to try to bias the 
outcome, their probability of successfully doing so is strictly zero. It is then 
said to be perfectly secure if for some finite values of N\, . . . , N r , the quantities 
Cj(Ni, . . . , N r ) and S P (Ni, . . . , A^) are strictly zero, and otherwise is said to be 
secure. 

Definition 2.2. (Strong Coin Tossing) A strong coin tossing protocol is pa- 
rameterized by a bias, 7. The protocol has the property that e b P < 7 for all 
P G {A, B} and 6 G {0, 1}, with equality for at least one combination of P and 
6. 

Definition 2.3. (Weak Coin Tossing) A weak coin tossing protocol is also 
parameterized by a bias, 7. It has the property that < 7 and e l B < 7, with 
equality in at least one of the two inequalities. 

2.3 Where Lies The Cryptographic Power? 

Cryptography involves secrets. One generally begins in a situation in which each 
party holds private data, and ends in a situation in which each party gains a 
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specified and often highly restricted piece of information on the inputs of the 
others. Let us specialize to the case of two party protocols. Kilian 34J sums 
up the difficulty of classical protocols for these on the grounds that at any point 
in such a protocol, one party knows exactly what information is available to the 
other, and vice-versa. If this knowledge symmetry can be broken (for example by 
assumin g th e existence of a black-box performing OT, or by using a trusted n oisy 
channel 36^ 38]) then any secure multi-party computation can be performed 34]. 

Quantum mechanics also provides a way of generating knowledge asymmetry. 
For example, consider a protocol which involves Alice choosing one of two non- 
orthogonal bases at random to encode each bit. She sends the quantum states 
which store the encodings to Bob. Bob, being unaware of Alice's bases, cannot 
reconstruct her bits with certainty. Likewise, if Bob measures each state he 
receives in one of the two encoding bases chosen at random, then Alice cannot tell 
exactly what Bob knows about her string. Therefore, information completeness is 
lost, and extra cryptographic power exists over protocols involving only classical 
systems. 

The procedure described above acts like a noisy channel, but there is a key 
cryptographic difference between the two. The noise generated by a noisy channel 
comes from an outside system, while that generated by sending quantum states 
is inherent to the physics of the system. From a cryptographic point of view, 
the former is equivalent to assuming the existence of a trusted third party. If 
either party could tap into the system generating the noise, then security would 
be compromised. This is a by-product of the fundamental reversibility of classical 
processes — if the process causing the noise was reversed, the information would 
be recovered. This is not the case for a quantum mechanical measurement. The 
process by which it is generated is fundamentally irreversible, and hence such a 
security issue does not arisqj. This is not the only source of cryptographic power 
generated by quantum theory. Another comes from the so-called monogamy of 
entanglement, which provides security in Ekert's variant of the BB84 protocol 



42| , and also in the protocols we discuss in Chapter |5j 



1 It is the possibility of delaying measurement that prevents such a quantum system being 



used to build OT as the standard classical reductions 
one party behaves honestly, information completeness is lost. 



36H38l| imply. However, provided at least 
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Relativistic protocols allow short-lived perfectly binding and perfectly conceal- 
ing commitment^. When A\ sends classical information to B\, she is perfectly 
committed to it (since B\ knows it). However, from ^'s point of view, this 
commitment is perfectly concealing for the light travel time. Anything B 2 sends 
to A 2 within this time he does in ignorance of Ai's message. This is where the 
power lies in relativistic cryptography. 



2.4 Coin Tossing 

2.4.1 Classical Non-Relativist ic Protocols 

Coin tossing is a two person game. The "moves" of the game are the communi- 
cations of the parties. In the classical and non-relativistic case, coin tossing can 
be studied using well-established techniques of game theory. It can be phrased 
as a zero-sum game, meaning that the payoffs for any outcome sum to zero. (We 
can assign +1 for a win, —1 for a loss, and to abort for each party. Thus if 
Alice wins, she gets +1, while Bob gets —1, these having zero sum. The exact 
payoffs may not be precisely these, but this should not affect the security of the 
computation.) 

We present here a (sketch) proof of the impossibility of classical coin tossing 
based on a result of game theory. The result we need refers to complete infor- 
mation games, which are those for which each party knows all previous moves of 
all other parties prior to making theirs. The result states that all (finite) zero- 
sum complete-information 2-person games are strictly determined, i.e., one party 
following their optimal strategy can win against any strategy of the other. 

Consider games in which there are no random moves. After the last move has 
been made, the game has a defined payout. Let us suppose that a positive payout 
favours Alice, and a negative one favours BorJ^. Suppose Bob makes the last move. 
He will choose his move so as to minimize the payout. Assuming no degeneracy, 
the last move is determined by this. (If there is degeneracy, then Bob can choose 
freely from amongst the degenerate moves. Alternatively, one could construct 



2 From which longer-lived ones can be constructed, as discussed previously. 
3 Since the game is zero-sum, the payout to Alice is always opposite that of Bob. 
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a new game in which the degenerate moves are combined.) Since this move is 
determined, we can define a game with one fewer moves in which the payouts are 
defined by what results if Bob follows his optimal strategy. This shorter game has 
Alice making the final move, which she does so as to maximize the payout. Thus, 
if we assume Alice and Bob always make their best play at every opportunity, 
this process iterates so that the entire game is completely determined. That is, 
one player always has a winning strategy against any strategy of the other. Since 
the winning strategy works against any strategy of the other, it also works if 
the other makes random choices at certain points in the protocol. The above 



argument is formally proven in Chapter 15 of [43]. 

A classical non-relativistic coin tossing protocol is such a game, and hence one 
party can always win with certainty, i.e., the best achievable bias is |. 

Note that both non-relativistic quantum protocols and relativistic protocols 
do not fit into this model. In a quantum protocol, if one party is allowed to 
choose their measurement basis, the other does not know what information they 
received. In a relativistic protocol, timing constraints can be used to ensure that 
one party must make a move without knowledge of those of the other party. It 
is therefore possible to construct protocols which are not information complete, 
and hence the above argument does not go through. We will demonstrate this 
below by giving coin tossing protocols whose bias is less that |. 

2.4.2 Quantum Non-Relativist ic Protocols 

Such protocols, commonly abbreviated as quantum protocols, have been widely 
studied in the literature. That quantum coin tossing protocols offer some ad- 



vantage over classical ones was realized by Aharonov et al. 3jJ, who introduced 



a protocol achieving a bias of ^= 3l|, |44| . For strong coin tossing, it has been 
shown by Kitaev that in any protocol, at least one party can achieve a bias greater 
than 4^ — | |45]. It is not known whether this figure represents an achievable 
bias. The best known bias to date is \ 111, |46j. This bias is optimal for a large set 



of bit-commitment based protocols |47| . For weak coin tossing, Kitaev's bound 
is known not to apply and lower biases than — ^ have been achieved (see for 
example 48[ for the best bias to date). Moreover, Ambainis has shown that a 
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weak coin toss pro tocol with bias e > must have a number of rounds that grows 
as ^(loglog 1 ) [46]. 



We present now the two protocols which achieve strongcoin tossing with bias 
1. The first, due to Ambainis, is based on bit commitmento The second protocol 
is our contribution. It works by trying to securely share entanglement before 
exploiting the quantum correlations that result. 

We give a brief description of Ambainis' protocol below. More details, includ- 
ing the proof that it has a bias of \ can be found in 46 1. 



Protocol 2.1. 

We define the states 

' ^(|0> + |1» 
75(10} -|1» 
4^(10} + |2» 

The protocol then proceeds as follows: 



b = 0,x = 
b = 0, x = 1 
b = 1, x = 
b = 1, x = 1 



(2-1) 



1. Alice picks two random bits b G {0, 1} and x G {0, 1}, using a uniform 
distribution. She creates the corresponding qutrit state \(f>b,x) an d sends it 
to Bob. 

2. Bob picks a random bit, b' G {0, 1} from a uniform distribution, and sends 
b' to Alice. 

3. Alice sends b and x to Bob, who then checks that the state he received in 
Step [1] matches (by measuring it with respect to a basis consisting of \4>b,x) 
and two states orthogonal to it). If the outcome of the measurement is not 
the one corresponding to \4>b,x), Bob aborts. 

4. Otherwise, the result of the coin flip is b © V ' . 



4 A bit commitment based coin tossing scheme has one party commit a bit, after which the 
other announces another bit. If the XOR of the two bits is 0, the outcome is heads, if 1 it is 
tails. 
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This protocol is based on bit commitment. Alice (imperfectly) commits a bit, 
b, to Bob by encoding it using one of two non-orthogonal pairs of states. Bob 
then sends a bit V to Alice. The outcome is decided by the XOR of b and b' . 
Many of the coin tossing schemes considered in the literature are of this type. 
The security of such protocols is only as strong as the bit commitment on which 
they are based. Bounds jm the possible biases achievable in bit commitment 
schemes are wel 
commitment 



known [47|. However, coin tossing is strictly weaker than bit 
49l | . hence bounds on the achievability of bit commitment do not 
imply similar ones for coin tossing. It is therefore of interest to search for schemes 
that do not rely on bit commitment. We describe one such protocol and give its 



complete security analysis below. This protocol has been published by us 
Protocol 2.2. 

1. Alice creates 2 copies of the state \ip) = ^(|00) + |11)) and sends the second 
qubit of each to Bob. 

2. Bob randomly selects one of the states to be used for the coin toss. He 
informs Alice of his choice. 

3. Alice and Bob measure their halves of the chosen state in the {|0) , |1)} 
basis to generate the result of the coin toss. 

4. Alice sends her half of the other state to Bob who tests whether it is the 
state it should be by measuring the projection onto If his test fails, 
Bob aborts. 



2.4.2.1 Alice's Bias 

Assume Bob is honest. We will determine the maximum probability, pa, that 
Alice can achieve outcome (an analogous result follows by symmetry for the 
case that Alice wants to bias towards 1). Alice's most general strategy is as 
follows. She can create a state in an arbitrarily large Hilbert space, \^) G "Ka ® 
< Ka 1 ®'^b 1 ® 3~d 2 ® ^b 2 , where "Ka represents the space of an ancillary system 
Alice keeps, "Kb 1 and 'Kb 2 are qubit spaces sent to Bob in the first step of the 
protocol, and CH^ and < Ka 2 are qubit spaces, one of which will be sent to Bob for 
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verification. On receiving Bob's choice of state in Step HI Alice can do one of two 
local operations on the states in her possession, before sending Bob the relevant 
qubit for verification. Alice should choose her state and local operations so as to 
maximize the probability that Bob obtains outcome and does not detect her 
cheating. 

Let us denote the state of the entire system by 

1 i 

W = EE a ^ \^)aa iA2 \^) Bi b 2 (2-2) 

i=0 j'=0 

where {\4>ij) aa 1 a 2 ^^ are norma hzed states in Alice's possession, and {cbij}i,j are 
coefficients. Suppose Bob announces that he will use the first state for the coin 
toss. There is nothing Alice can subsequently do to affect the probability of 
Bob measuring on the qubit in 'Kb 1 - We can assume that Bob makes the 
measurement on this qubit immediately on making his choice. Let us also assume 
that Alice discovers the outcome of this measurement so that she knows the pure 
state of the entire system (we could add a step in the protocol where Bob tells 
her, for exampkjfl). If Bob gets outcome 1, then Alice cannot win. On the other 
hand, if Bob gets outcome 0, the state of the remaining system becomes 



a °° \a \ ln\ 001 

V poo + Nil V a oo + °oi 



oo)aa 1 a 2 I°)b 2 + /i 19 ; i =rf \ ( I ) oi}aa 1 a 2 \ 1 )b 2 > ( 2 -3) 



and Alice can win if she can pass Bob's test in the final step of the protocol. Since 
entanglement cannot be increased by local operations, the system Alice sends to 
Bob in this case can be no more entangled than this state. Since measurements 
(on average) reduce entanglement, Alice's best operation is a unitary on her 
systems. Such an operation is equivalent to a redefinition of {a^} and {l^)}, 
which Alice is free to choose at the start of the protocol anyway. Alice can do no 
better than by choosing the coefficients, {a^}, to be real and positive. The state 
which best maximizes the overlap of the system in the A 2 B 2 subspace with \ifj) 
is then, 

~r^= |00) A B + |n) . (2.4) 

/„2 T „2 1 1 A 2 B 2 2 T n 2 1 I A 2 B 2 \ I 

V a oo ' "oi V a oo ' a oi 



5 Such a step can only make it easier for Alice to cheat, so security under this weakened 
protocol implies security under the original one. 
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Alice therefore cannot fool Bob into thinking she was honest with probability 
greater than (°oo+aoi ) ^ Using a similar argument for the case that Bob chooses 

Z(a 0Q +a 01 ) 

the second state for the coin toss shows that Alice's overall success probability is 
at most \ (2<2qq + 2a oaoi + 2a odio + a oi + a io)- Maximizing this subject to the 
normalization condition gives a maximum of |, hence we have the bound pa < §• 
Equality is achievable within the original protocol (i.e., without the additional 
step we introduced) by having Alice use the state 

\j\ \oooo) AiBiA2B2 + -L (|ooii) AiBiA2B2 + \noo) AiBiA2B2 ) , (2.5) 

and simply sending !K^ 1 or "Ka 2 t° Bob in the final step, depending on Bob's 
choice. 

The protocol is cheat-sensitive towards Alice — any strategy which increases 
her probability of obtaining one outcome gives her a non-zero probability of being 
detected. 



2.4.2.2 Bob's Bias 

Assume Alice is honest. We will determine the maximum probability, pb, that 
Bob can achieve the outcome 0. The maximum probability for outcome 1 follows 
by symmetry. Bob seeks to take the qubits he receives, perform some local 
operation on them, and then announce one of them to be the coin-toss state such 
that the probability that Alice measures on her part of the state he announces 
is maximized. 

Suppose that we have found the local operation maximizing Bob's probability 
of convincing Alice that the outcome is 0. Having performed this operation and 
sent the announcement to Alice, the outcome probabilities for Alice's subsequent 
measurement on the state selected by Bob in the {|0) , |1)} basis are fixed. Bob's 
probability of winning depends only on this. It is therefore unaffected by anything 
Alice does to the other qubit, and, in particular, is unaffected if Alice measures 
both of her qubits in the {|0) , |1)} basis before looking at Bob's choice. Such a 
measurement commutes with Bob's local operation, so could be done by Alice 
prior to Bob's operation without changing any outcome probabilities. If Alice 
does this measurement she gets outcome 1 on both qubits with probability |. In 
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such a case, Bob cannot convince Alice that the outcome is 0. Therefore, we have 
bounded Bob's maximum probability of winning via pb < §. 

To achieve equality, Bob can measure each qubit he receives in the {|0) , |1}} 
basis, and if he gets one with outcome 0, choose this state as the one to use for 
the coin toss. There is no cheat sensitivity towards Bob; he can use this strategy 
without fear of being caught. 



2.4.2.3 Discussion 

In this section we have presented two non-relativistic quantum protocols for 
strong coin tossing. Each of which has bias |. The first, due to Ambainis, is 
based on bit commitment. The second is based on sharing entanglement. In 
terms of practicality, the key differences between the schemes follows. 
Firstly, Ambainis' protocol requires manipulation and communication of a single 
qutrit, while ours requires four qubits (two of which are communicated). Fur- 



thermore, there cannot be a bit-commitment based scheme of this typtf) with 
a smaller dimensionality than Ambainis' since bit-commitment based protocols 



using qubits cannot achieve bias \ |47|. Secondly, Ambainis' protocol does not 



require the storage of quantum systems. 

The question of whether Kitaev's bound can be reached remains open. That 
two protocols attempting to optimize the bias both have bias \ is evidence that 
this might be the best possible. One would like to construct a proof of this. 



2.4.3 Relativistic Protocols 

Such protocols allow coin tossing with zero bias, due to the bit commitment 
property they offer (cf . Section 12.31) . 

Protocol 2.3. 



1. At time t , Ai sends a bit, b G {0, 1}, to Bi choosing b from a uniform 
distribution. 

2. B 2 simultaneously sends a bit, b', to A 2 . 

6 i.e. where all of the quantum systems are supplied by Alice. 
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3. Bi checks that his received message arrived before time to + D, and likewise, 



so does A 



If this is not the case, they abort. 



4. The disconnected agents of Alice communicate with one another, as do those 
of Bob. Alice and Bob can then compute the coin toss outcome, b © b'. 

The impossibility of superluminal signalling prevents either party cheating in 
such a protocol. 

2.5 Discussion 

In this chapter, we have shown how the physical world in which our protocol op- 
erates has significant implications on its security, thus highlighting the fact that 
what can and cannot be done in terms of information processing tasks depends 
fundamentally on physics. In a non-relativistic, classical world, it is impossible to 
achieve unconditional security for any two-party protocol, because such protocols 
are information complete. In a non-relativistic quantum world, information com- 
pleteness can be broken, as described in Section 12.31 This is sufficient to ensure 
partial security in coin tossing. Relativity introduces the possibility of stronger 
security still. The impossibility of superluminal signalling means that informa- 
tion can be completely concealed from one party, at least for the light travel time. 
This allows a zero- knowledge, finite-time commitment, which is sufficient for coin 
tossing. 

In the forthcoming chapters we discuss the extent to which quantum and 
relativistic protocols can be used to achieve other cryptographic tasks. Chapter 
[3] will show that one additional task (variable bias coin tossing) is possible, while 
in Chapter H] a large set of other tasks are shown to be impossible. 



7 Recall that we use units in which the speed of light is unity. 
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Chapter 3 

Variable Bias Coin Tossing 



"What does chance ever do for us?" - William Paley 

3.1 Introduction 

In a future version of society, etiquette has become so important that it is im- 
pinging on free will. Declining an invitation from an upstanding member of the 
community has become near impossible. A new social code has emerged to cir- 
cumvent this, whereby the acceptance or otherwise of all invitations are resolved 
via a variable bias coin toss (VBCT). This task allows one party to secretly 
choose the bias of the coin within some prescribed range. If one wants to decline 
the invitation, one biases so as to maximize the probability of declination. Then, 
on receiving the (hopefully) negative outcome, one simply ascribes this to ill for- 
tune. This new social code therefore restores some free will, at the expense that 
sometimes one has to decline favourable invitations. 

In this chapter, we consider protocols for the task of variable bias coin tossing 
between two parties. The results presented here have been published by us in j^J . 
The aim of a VBCT protocol is to generate a shared random bit, as though by a 
biased coin whose bias is secretly chosen by one of the parties to take some value 
within a prescribed range. This is the two-faced case of the more general task of 
carrying out a variable bias n-faced die roll, in which one of n possible outcomes 
is randomly generated as though by a biased die, whose bias (i.e. list of outcome 
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probabilities) is secretly chosen by one of the parties to take some value within 
a prescribed convex set. Variable bias coin tossing and die rolling are themselves 
special cases of secure 2-party computations. To understand their significance, 
we first locate them within a general classification of secure computation tasks. 

3.2 Secure Multi- Party Computation 

A general secure classical computation involves N parties, labelled by i in the 
range 1 < i < N, who each have some input, Xi, and wish to compute some 
(possibly non-deterministic) functions of their inputs, with the zth party receiv- 
ing as output fi(xi, . . . , Xjv)- We call this a classical computation because the 
inputs and outputs are classical, although we allow such computations to be im- 
plemented by protocols which involve the processing of quantum stated All of 
the computations we consider in this thesis are classical in this sense (although 
most of the protocols we discuss involve quantum information processing), and 
we will henceforth refer to these as computations, with the term "classical" taken 
as understood. A perfectly secure computation guarantees, for each i, each subset 
JC {1, . . . , N}, and each set of possible inputs Xi and {xj}j £ j, that if the parties 
J do indeed input {xj}j^j and then collaborate, they can gain no information 
about the input Xi other than what is implied by {xj}., e j and {fj(xi, . . . , XN)}jej- 

Note that some tasks fall outside this model completely. Bit commitment, 
for example, requires that the output is at some time fixed, but is not revealed 
until a later time. Other computations with this delay feature also fall outside 
the scope of our model. 

We restrict attention here to two types of two-party computation: two-sided 
computations in which the outputs prescribed for each party are identical, and 
one-sided computations in which one party gets no output. We use the term single 
function computations to cover both of these types, since, in both cases, only one 
function need be evaluated. We can classify single function computations by the 
number of inputs (by which we mean the number of parties making an input, as 
distinct from the size of the set of possible values of such inputs), by whether 

^^Ones which do not, we call classical protocols: here we are considering quantum rclativistic 
protocols for classical computations. 
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they are deterministic or random, and by whether one or two parties receive the 
output. 

We are interested in protocols whose unconditional security is guaranteed by 
the laws of physics. In particular, as is standard in these discussions, we do not 
allow any security arguments based on technological or computational bounds: 
each party allows for the possibility that the other may have arbitrarily good 
technology and arbitrarily powerful quantum computers. In addition, we assume 
that Assumptions dHU (see Section HI)]) hold. Under such assumptions, the known 
results for secure computations are summarized below. 

Zero-input computations: Secure protocols for zero-input determin- 
istic computations or zero-input random one-sided computations can be trivially 
constructed, since the relevant computations can be carried out by one or both 
parties separately. The most general type of zero-input two-sided random secure 
computation is a biased n-faced secure die roll. This can be implemented with 
unconditional security by generalizing the relativistic protocol for a secure coin 
toss given in Section 12.4.31 as follows. 

Protocol 3.1. 

For an n-faced die with distribution pi, . . . ,p n , 

1. A\ creates a string, X e {l,...,n} , for which Npi members are i for 
all i G {1, . . . ,n} (N is such that Npi is an integer for all i, or, if the 
chosen probabilities are irrational, we can get arbitrarily close to the correct 
distribution by taking iV large). The permutation of elements in the string 
is chosen uniformly at random. A\ sends this string to B\. [§ 

2. B2 simultaneously sends a random number, j 6 {1, . . . , N}, to A2. 

3. B\ checks that his received message arrived before time to + D, and likewise, 
so does A2. If this is not the case, they abort. 

4. The disconnected agents of Alice communicate with one another, as do 
those of Bob. 

2 For example, in an unbiased coin toss, X is either (0,1) or (1,0). The second bit is 
redundant, hence the protocol can be simplified to Protocol 12.31 presented previously. 
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5. Bob checks that the string he received from Alice has the correct number 
of entries of each type. If not, he aborts. Otherwise the outcome of the die 
roll is the jth member of X. 

One- input computations: Secure protocols for deterministic one-input 
computations are trivial; the party making the input can always choose it to 
generate any desired output on the other side and so might as well compute the 
function on their own and send the output directly to the other party. 

The non-deterministic case is of interest. For one-sided computations, where 
the output goes to the party that did not make the input, the most general 
function is a one-sided variable bias n-faced die roll. The input simply defines 
a probability distribution over the outputs. In essence, one party chooses one 
from a collection of biased n-faced dice to roll (the members of the collection are 
known to both parties). The output of the roll goes to one party only, who has 
no other information about which die was chosen. 

It is known that some computations of this type are impossible. Oblivious 
transfer falls into this class, for instance, and is shown to be impossible in Section 
In Chapter HJ we discuss other computations of this type, and show that 
they are impossible to implement securely. 

We call the two-sided case of a non-deterministic one-input function a variable 
bias n-faced die roll. This — and particularly the two-faced variable bias 

coin toss — is the subject of the present chapter. We will give a protocol that 
implements the task with unconditional security for a limited range of biases, an- 
other which permits any range of biases but achieves only cheat-evident security, 
and two further protocols that allow any range of biases and which we conjecture 
are unconditionally secure. Such tasks are impossible in non-relativistic cryptog- 
raphy. 



Two-input computations: Lo 50(] considered the task of finding a se- 



cure nonrelativistic quantum protocol for a two-input, deterministic, one-sided 



3 To see that OT can be thought of as an example of a one-sided variable bias n-faced die 
roll, consider the probability table, Table l4~3l in Section 14.4.3 1 The computation can be though 
of as having Alice pick one of two three sided die to roll (the three sides being labelled 0, 1 and 
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function. He showed that if the protocol allows Alice to input i, Bob to input j, 
and Bob to receive f(i,j), while giving Alice no information on j, then Bob can 
also obtain f(i,j') for all j'. For any cryptographically nontrivial computation, 
there must be at least one i for which knowing f(i,j') for all j' gives Bob more 
information than knowing f(i, j) for just one value of j. As this violates the defi- 
nition of security for a secure classical computation, it is impossible to implement 
any cryptographically nontrivial computation securely. 

Lo's proof as stated applies to nonrelativistic protocols. He showed that there 
cannot exist a set of states { V'ab)}^') shared between Alice and Bob that fulfil 
the requirements of such a computation. In a relativistic computation where all 
measurements are kept quantum until the end, the final state must again be an 
(i, j)-dependent pure state distributed between Alice and Bob. Lo's impossibility 
result therefore extends trivially to relativistic protocols^. 

Lo also noted that some secure two-input deterministic, two-sided non-relativistic 
quantum computations are impossible, because they imply the ability to do non- 
trivial secure two- input, deterministic one-sided computations. This argument 
also extends trivially to relativistic protocols. 

We will discuss further protocols in this class in detail in Chapter HJ 

Table 13.11 summarizes the known results. 

3.3 Variable Bias Coin Tossing 
3.3.1 Introduction 

We now specialize to the task of variable bias coin tossing (VBCT), the simplest 
case of a one-input, random, two-sided computation. We seek protocols whose 
security is guaranteed based on the laws of physics. 

4 Rudolph f29| has defined the notion of a consistent task as one for which there exist states 
shared between the parties, and local operations which could satisfy the security demands. 
Inconsistent tasks are then impossible whether or not the protocol is relativistic, hence Lo's 
proof also works in this scenario. Consistent tasks are not necessarily possible: they require 
a way to securely generate a shared state of the correct form. Whether this is achievable can 
depend on whether a relativistic protocol is used or not. 
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Type of computation 


Securely Implementable 


Comment 


Zero-input 


Deterministic 


/ 


Trivial 




Random one-sided 


/ 


Trivial 




Random two-sided 


/ 


Biased n-faced die roll 


One-input 


Deterministic 


/ 


Trivial 




Random one-sided 




One-sided variable bias n-faced die roll 




Random two-sided 


/* 


Variable bias n-faced die roll 


Two- input 


Deterministic one-sided 


X 


cf. Lo 




Deterministic two-sided 




cf. Lo 




Random one-sided 


? 


see Chapter H] 




Random two-sided 


? 


see Chapter H] 



Table 3.1: Functions computable securely in two-party computations using (potentially) both quantum and rela- 
tivistic protocols, when unconditional security is sought. / indicates that all functions of this type are possible, 
X indicates that all functions of this type are impossible, /* indicates that conjectures made later in this chapter 
imply that all functions of this type are possible, and (X) indicates that some functions of this type are impossible. 
? indicates an unknown result (to be discussed in Chapter HJ). An updated version of this table, Table WM is given 
at the end of Chapter HI 
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The aim of a VBCT protocol is to provide two mistrustful parties with the 
outcome of a biased coin toss. We label the possible outcomes by and 1 and 
define the bias to be the probability, po, of outcome 0. The protocol should allow 
one party, by convention Bob, to fix the bias to take any value within a pre- 
agreed range, p min < p < p max - The protocol should guarantee to both parties 
that the biased coin toss outcome is genuinely random, in the sense that Bob's 
only way of influencing the outcome probabilities is through choosing the bias, 
while Alice has no way of influencing the outcome probabilities at all. It should 
also guarantee to Bob that Alice can obtain no information about his bias choice 
beyond what she can infer from the coin toss outcome alone. 

To illustrate the uses of VBCT, consider a situation in which Bob may or 
may not wish to accept Alice's invitation to a party, in a future world in which 
social protocol decrees that his decisional is determined by a variable bias coin 
toss in which he chooses the bias within a prescribed range, let us say p m i n = 
n < Po < Pmax = tt ■ Alice, who is both self-confident and a Bayesian, believes 
prior to the coin toss that the probability of Bob not wishing to accept is 10 _ ™, 
for some fairly large value of n. If Bob does indeed wish to accept, he can choose 
Po = yy, ensuring a high probability of acceptance. If he does not, he can choose 
Pq = -jj, ensuring a low probability of acceptance. If the invitation is declined, 
this social protocol allows both parties to express regret, ascribing the outcome 
to bad luck rather than to Bob's wishes. Alice's posterior probability estimate of 
Bob's not wishing to attend is approximately 10~ n+1 , i.e., still close to zero. 

For another illustration of the uses of VBCT, suppose that Bob has a large 
secret binary data set of size N. For example, this might be a binary encoding 
of a high resolution satellite image. He is willing to sell Alice a noisy image of 
the data set with a specified level of random noise. Alice is willing to purchase if 
there is some way of guaranteeing, at least to within tolerable bounds, that the 
noise is at the specified level and that it was genuinely randomly generated. In 
particular, she would like some guarantee that constrains Bob so that he cannot 
selectively choose the noise so as to obscure a significantly sized component of 
the data set which he (but not necessarily she) knows to be especially interesting. 

5 Naturally, a similar protocol, in which Alice chooses the bias, governs the decision about 
whether or not an invitation is issued. 
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Let us suppose also that the full data set will eventually become public, so that 
Alice will be able to check the noisy image against it, and that she will be able to 
enforce suitably large penalties against Bob if the noisy and true versions turn out 
not to be appropriately related. They may proceed by agreeing on parameters 
p m ; n and p max = 1 — Pminj an d then running a variable bias coin toss for each bit 
in the image, with Bob choosing p = p min if the bit is 1 and po = p ma x if the bit 
is 0. Following this protocol honestly provides Alice with the required randomly 
generated noisy image. On the other hand, if Bob deviates significantly from 
these choices for more than 0(y/N) of the bits, Alice will almost certainly be 
able to unmask his cheating once she acquires the full data set. 

3.3.2 Definitions 

A VBCT protocol is defined by a prescribed series of classical or quantum com- 
munications between two parties, Alice and Bob. If the protocol is relativistic, it 
may also require that the parties each occupy two or more appropriately located 
sites and may stipulate which sites each communication should be made from 
and to. The protocol's definition includes bias parameters p m m and p max , with 
Pmin < p max , and may also include one or more security parameters N±, . . . , N r . 
It accepts a one bit input from one party, Bob, and must result in both parties 
receiving the same output, one of the three possibilities 0, 1 or "abort". The 
output "abort" can arise only if at least one of the parties refuses to complete 
the protocol honestly. 

We follow the convention that Bob can fix p to be p m j n or p max by choosing 
inputs 1 or respectively (so that an input of bit value b maximizes the probability 
of output b). He can thus fix p anywhere in the range p m m < P < Pmax by choosing 
the input randomly with an appropriate weighting. Since any VBCT protocol 
gives Bob this freedom, we do not require a perfectly secure protocol to exclude 
other strategies which have the same result: i.e., a perfectly secure protocol may 
allow any strategy of Bob's which causes po to lie in the given range, so long as 
no other security condition is violated. § However, if Bob in honest, he chooses 
either p = p m [ n or p = p max . This motivates the following security definitions. 

6 Similar statements hold, with appropriate epsilonics, for secure protocols: see below. 
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We say the protocol is secure if the following conditions hold when at least 
one party honestly follows the protocol. Let po be the probability of the output 
being 0, and p\ be the probability of the output being 1. Then, regardless of 
the strategy that a dishonest party may follow during the protocol, we have 
Po < P + e(JVi, ...,N r ) and p x < (1 - p) + e(iV 1 , . . . , N r ), where p min <p< p max 
and the protocol allows Bob to determine p to take any value in this range. Alice 
has probability less than £(Ni,...,N r ) of obtaining more than 8(Nx,..-,N r ) 
bits of information that are not implied by the outcome. In addition, if Bob 
honestly follows the protocol and legitimately aborts before the coin toss outcome 
is knowrJll, then Alice has probability less than C(iVi, . . . , N r ) of obtaining more 
than 5(Ni, . . . , N r ) bits of information about Bob's input. 

(We should comment here on a technical detail that will be relevant to some 
of the protocols we later consider. It turns out, in some of our protocols, to be 
possible and useful for Bob to make supplementary security tests even after both 
parties have received information which would determine the coin toss outcome. 
The protocols are secure whether or not these supplementary tests are made, 
in the sense that the security criteria hold as the security parameters tend to 
infinity. However, the supplementary tests increase the level of security for any 
fixed finite value of the security parameters. 

We need slightly modified definitions to cover this case, since the output of the 
protocol is defined to be "abort" if Bob aborts after carrying out supplementary 
security tests. If Bob honestly follows a protocol with supplementary tests, and 
legitimately aborts after the coin toss outcome is determined, then we require 
that Alice should have probability less than C(iVi, . . . , N r ) of obtaining more than 
5(Ni, . . . , N r ) extra bits of information — i.e., beyond what is implied by the coin 
toss outcome. 

Note that introducing supplementary security tests may allow Alice to follow 
the protocol honestly until she obtains the coin toss outcome, and then deliber- 
ately fail the supplementary tests in order to cause the protocol to abort. How- 
ever, this may not give her useful extra scope for cheating. In a VBCT protocol 
in which the coin toss outcome has some real world consequence, for instance, 

7 We take this to be the point at which both parties have enough information (possibly 
distributed between their remote agents) to determine the outcome. 
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Alice can always follow the protocol honestly and then refuse to abide by the 
consequence dictated by its outcome: for example, she can decide not to invite 
Bob to her party, even if the variable bias coin toss suggests that she should. This 
unavoidable possibility has the same effect as her causing the protocol to abort 
after the coin toss outcome is determined.) 

In all the above cases, we require S(Ni, . . . , iV r ) — > 0, e(Ni, . . . , N r ) — > and 
C(Ni, . . . , N r ) -> as the iVj — > oo. We say the protocol is perfectly secure for 
some fixed values N±, . . . , N r if the above conditions hold with e(Ni, . . . , N r ) = 
5(N u ...,N r ) = ((N 1 ,...,N r ) = 0. 

Suppose now that one party is honest and the other party fixes their strat- 
egy (which may be probabilistic and may depend on data received during the 
protocol) before the protocol commences, and suppose that the probability of 
the protocol aborting, given this strategy, is less than e'. Since the only possi- 
ble outcomes are 0, 1 and "abort", it follows from the above conditions that, if 
Bob inputs 1, we have p min — e(N 1 , . . . , N r ) — e' < p < p min + e(Ni, . . . , N r ) and 
(1 - Pmin) - e(JVi, . . . , N r ) - e' < Pl < (1 - p min ) +e(N 1 ,..., N r ). Similarly, if 
Bob inputs 0, we have p max — e(iVi, . . . , N r ) — e' < po < p max + e(Ni, . . . , A^ r ) and 
(1 -Pmax) - e(iVi, . . . , N r ) -e' < pi < (1 -p m ax) + e{N 1 , N r ). In other words, 
unless a dishonest party is willing to accept a significant risk of the protocol 
aborting, they cannot cause the outcome probabilities for or 1 to be signifi- 
cantly outside the allowed range. Moreover, no aborting strategy can increase 
the probability of or 1 beyond the allowed maximum. 

For an unconditionally secure VBCT protocol, the above conditions hold as- 
suming only that the laws of physics are correct. In a cheat- evidently secure 
protocol, if any of the above conditions fail, then the non-cheating party is guar- 
anteed to detect this, again assuming only the validity of the laws of physics. 

3.4 VBCT Protocols 
3.4.1 Protocol VBCT1 

We consider first a simple relativistic quantum protocol, which implements VBCT 
with unconditional security, for a limited range of biases. The protocol requires 
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each party to have agents located at three appropriately separated sites. 
Protocol VBCT1 



1. Bi, B 2 and B 3 agree on a random number n chosen from a Poisson distri- 
bution with large mean (or other suitable distribution). 

2. A\ sends a sequence of qubits {!</>«)} to B\, where each e {|"0o) , l^i)} 
is chosen independently with probability half each, using the random string 
x. The states |^o) and j^i) are agreed between Alice and Bob prior to 
the protocol, and the qubits are sent at regular intervals according to a 
previously agreed schedule, so that all the agents involved can coordinate 
their transmissions. 

3. Bi receives each qubit and stores it. 

4. A 2 tells B 2 the sequence of states {]&)} sent, choosing the timings so that 
A\S quantum communication of the qubit |<^>j) is spacelike separated from 
A 2 s classical communication of its identity. B 2 relays these communications 
to B 1 . 

5. i?3 announces to A3 that the nth state will be used for the coin toss. This 
announcement is made at a point spacelike separated from the nth rounds 
of communication between A± and i?i and A 2 and B 2 . A3 reports the value 
of n to A\ and A 2 . 

6. B\ performs the measurement on \<p n ) that optimally distinguishes \i[)q) from 
\tpi), and then reveals n to Ai, along with a bit b. If his measurement is 
indicative of the state being |-?/V), then Bob should select b = b' if he wants 
outcome 0, or else select b = V . Let Alice's random choice for the nth state 
be \ip a )' recall that A 2 reported the value of a to B 2 in StepHl 

7. Some time later, on receipt of the sequence sent by B 2 in StepHl Bi measures 
his remaining stored states to verify that they were correctly described by 
A 2 . If any error occurs, he aborts. 
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8. A\ receives from A 3 the value of n sent by B 3 , confirming that B\ was 
committed to guess the nth state, and B\ receives from B2 the value of a 
sent by A 2 . The outcome of the coin toss is c = a © b. 

It will be seen that this protocol is a variant of the familiar relativistic protocol 
for ordinary coin tossing. As in that protocol, Alice and Bob simultaneously 
exchange random bits. However, Alice's bit is here encoded in non-orthogonal 
qubits, which means that Bob can obtain some information about its value. Bob 
uses this information to affect the bias of the coin toss. 

We use the bit w to represent Bob's wishes, with w = representing Bob 
trying to produce the outcome by guessing correctly, and w — 1 representing 
him trying to produce the outcome 1 by guessing wrongly. Security requires that 

p(w\a, b, c) « p(w\c), (3.1) 

i.e. the bits a and b convey no information about Bob's wishes. Perfect security 
requires equality in the above equation. 

3.4.1.1 Bob's Strategy 

The choice of n need not be fixed by Bob at the start of the protocol: for example, 
it could be decided during the protocol by using an entangled state shared by 
the Bi. However, we may assume B 3 sends a classical choice of n to A 3 (A 3 will 
measure any quantum state he sends immediately in the computational basis, 
and hence we may assume, for the purposes of security analysis, that B3 carries 
out this measurement). B 3 's announcement of n is causally disconnected from 
the sending of the nth state to B\ and of its identity to B 2 . Therefore, no matter 
how it is selected, it does not depend on the value of the nth state. While it 
could be generated in such a way as to depend on some information about the 
sequence of states previously received, these states are uncorrelated with the nth 
state if Alice follows the protocol. Such a strategy thus confers no advantage, 
and we may assume, for the purposes of security analysis, that the choice of n is 
generated by an algorithm independent of the previous sequence of states. We 
may also assume that n is generated in such a way that Bi and B 2 can obtain 
the value of n announced by B% with certainty: if not, their task is only made 
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harder. In summary, for the purposes of security analysis, we may assume that 
P3 announces a classical value of n, pre-agreed with B\ and P2 at the beginning 
of the protocol. 

Bi is then committed to making a guess of the value of the nth state: if he 
fails to do so then Alice knows Bob has cheated. Pi's best strategy is thus to 
perform some measurement on the nth state and use the outcome to make his 
guess. We define \tpo) = cos § 10) + sin 1 11) and j^i) = cos 1 10) — sin 1 11), where 

< 9 < |. Let the projections defining the optimal measurement be Pq and Pi. 
We say that the outcome corresponding to Po is "outcome 0" , and similarly for the 
outcome corresponding to Pi. Without loss of generality, we can take outcome 
to correspond to the most likely state Alice sent being |^o) an d similarly outcome 

1 to correspond to \ipi)- Bob's probability of guessing correctly is then given by, 

P£ = ^((V>o|Po|^o> + (^i|Pi|V>i>) • (3-2) 

This is maximized for P and Pi corresponding to measurements in the |±) basis, 
where |±) = ^-(|0) ± |1)). The maximum value is, 

pT x = ~(l + sin0). (3.3) 

It is easy to see that the security criterion (13.11) is always satisfied. Further- 
more, the outcome, c can be used by either party to simulate the intermediates 
produced in the protocol (i.e., a, b, and the set of quantum states), making it 
clear that no information is gained, other than that implied by the outcome (the 
role of simulatability in security will be discussed further in Section 14.21) . The 
minimum probability of Bob guessing correctly is always 1 — p^ ax , which he can 
attain by following the same strategy but associating outcome b' with a guess 
of 9. The possible range of biases are those between p min = | (1 — sin 9) and 
Pmax = \ (1 + sin 9). The protocol thus implements VBCT for all values of p m i n 
and p max with p min + p max = 1 (and no others). 

3.4.1.2 Security Against Alice 

Security against Alice is ensured by the fact that Pi tests A 2 's statements about 
the identity of the states sent to Pi. 
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We seek to show that if Alice attempts to alter the probability of i?i measuring 
or 1 with his measurement in Step [6j then in the limit of large n, either the 
probability of her being detected tends to 1, or her probability of successfully 
altering the probability tends to zero. Note that it may be useful for Alice to 
alter the probabilities in either direction: if she increases the probability that Bi 
guesses correctly, she learns more information about Bob's bias than she should; 
if she decreases it, she limits Bob's ability to affect the bias. 

We need to show that if, on the zth round, Bi receives state pi, for which the 
probability of outcome differs from those dictated by the protocol, then the 
probability of B\ not detecting Alice cheating on this state is strictly less than 1. 

Si's projections are onto {|+) , |— )} for the nth state. Alice's cheating strat- 
egy must ensure that for some subset of the states she sends to B±, there is 
a different probability of his measurement giving outcome 0. Suppose that pi 
satisfies 

(+\pi\+) =Pmax + £l (3.4) 
= Pmin + 8 2 , (3.5) 

where 81,82 7^ 0. Then, if B\ was to instead test Alice's honesty, the state which 
maximizes the probability of Alice passing the test, among those satisfying (13.41) . 
is 

(Pmax + ft)* |+) + (1 - ?W - ft)* |-> , (3.6) 

and she should declare this state to be whichever of |0o) or \<pi) maximizes the 
probability of passing Bob's test. We have 

((Pmax(Pmax + 5i))^ + ((1 - JO max )(l - p max - (5i))^ < 1 - 8{ , (3.7) 

and a similar equation with p min replacing p max and ft replacing ft. Hence the 
probability of passing Bob's test is at most 1 — 8 2 , where 8 = min(|ft|, |ft|). In 
order to affect B\s measurement probabilities with significant chance of success, 
there must be a significant fraction of states satisfying (13 .4p . If a fraction 7 of 
states satisfy (13. 4p with min(|ft|, |ft|) > 8 for some fixed 8 > 0, then this cheating 
strategy succeeds with probability at most 7(1 — 8 2 ) 111 . Hence, for any 8, 7, the 
probability of this technique being successful for Alice can be made arbitrarily 
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close to if Bob chooses the mean of the Poisson distribution used in Step [TJ (and 
hence the expected value of n) to be sufficiently large. 

Note that, as this argument applies state by state to the pi, it covers every 
possible strategy of Alice's: in particular, the argument holds whether or not the 
sequence of qubits she sends is entangled. 

We hence conclude that the protocol is asymptotically secure against Alice. 

3.4.2 Protocol VBCT2 

We now present a relativistic quantum VBCT protocol which allows any range 
of biases, but achieves only cheat-evident security rather than unconditional se- 
curity. 

Protocol VBCT2 

1. B\ creates N states, each being either |^ ) = a o 1 00) + (3 |11) or \ipi) = 

«i |00) + f3i 1 1 1 > , with {a ,oti,/3 ,/3i} G IR + , «q > a\, and af + (5f = 1. 

The states are chosen with probability half each. In the unlikely event that 

all the states are the same, B\ rejects this batch and starts again. B\ uses 

the shared random string y to make his random choices, so that B\ and B2 

both know the identity of the ith state. Bi sends the second qubit of each 

state to A\. The values of ao,(3 ,ai and j3\ are known to both Alice and 

Bob. We define the bias of the state l^j) to be af, and write p m ; n = a\ and 
2 

2. Alice decides whether to test Bob's honesty (z = 1), or to trust him (z = 0). 
She selects z = with probability 2~ M . A\ and A 2 simultaneously inform 
Bi and B 2 of z, A 2 's communication being spacelike separated from the 
creation of the states by B± in Step [TJ 

3. (a) If z — 1, B 1 sends all of his qubits and their identities to A\, while 

B 2 sends the identities to A 2 . A\ can then verify that they are as 
claimed and if so, the protocol returns to Step [TJ If not, she aborts 
the protocol. 
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(b) If z — 0, Bi randomly chooses a state to use for the coin toss from 
among those with the bias he wants. B2 simultaneously informs A2 of 
Si's choice. 

4. A\ and B\ measure their halves of the chosen state in the {|0) , |1}} basis, 
and this defines the outcome of the coin toss. 

(5. As an optional supplementary post coin toss security test, B\ may ask A\ 
to send all her remaining qubits back to him, except for her half of the state 
selected for the coin toss. He can then perform projective measurements on 
these states to check that they correspond to those originally sent.) 

An intuitive argument for security of this protocol is as follows. On the 
one hand, as M — > 00, the protocol is secure against Bob since, in this limit, 
he always has to convince Alice that he supplied the right states which he can 
only do if he has been honest. But also, in the limit N — > 00, we expect the 
protocol to be secure against Alice, since in this limit, she cannot gain any more 
information about the bias Bob selected than can be gained by performing the 
honest measurement. 

The protocol can only provide cheat-evident security rather than uncondi- 
tional security, since there are useful cheating strategies open to Alice, albeit 
ones which will certainly be detected. One such strategy is for A\ to claim that 
z = on some state, while A2 claims that 2 = 1. This allows Alice to deter- 
mine Bob's desired bias, since B\ will tell A\ the state to use, and B2 will tell 
A 2 its identity. However, this cheating attack will be exposed once Bi and B 2 
communicate. 

(Technically, Alice has another possible attack: she can follow the protocol 
honestly until she learns the outcome, and then intentionally try to fail Bob's tests 
in Step [5] by altering her halves of the remaining states in some way. By so doing, 
she can cause the protocol to abort after the coin toss outcome is determined. 
However, as discussed in Section I3T31 this gives her no advantage.) 
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3.4.2.1 Security Against Alice 

Assume Bob does not deviate from the protocol. A 2 must announce the value of z 
without any information about the current batch of states sent to A\ by B\. Alice 
therefore cannot affect the bias: once a given batch is accepted, she cannot affect 
£?i's measurement probabilities on any state he chooses for the coin toss. While 
Alice's choices of z need not be classical bits determined before the protocol and 
shared by the Ai, we may assume, for the purposes of security analysis, that they 
are, by the same argument used in analyzing Bob's choice of n in VBCT1. 

Once Bob has announced the state he wishes to use for the coin toss, though, 
Alice can perform any measurement on the states in her possession in order to gain 
information about Bob's chosen bias. It would be sufficient to show that any such 
attack that provides significant information is almost certain to be detected by 
Bob's tests in Step [3b] if so, the existence of such attacks would not compromise 
the cheat-evident security of the protocol. In fact, a stronger result holds: Alice 
cannot gain significant information by such attacks. From her perspective, if 
Bob selects a j^o) state for the coin toss, the (un- normalized) mixed state of the 
remaining (N — 1) qubits is, 

N-2 

^o = Yl Ph® pi 2 ®---® Pi N _! , (3.8) 

m=0 'i,--,'jv-i6{0,l} 

while if Bob selects a state for the coin toss, the (un-normalized) mixed state 
of the remaining (N — 1) qubits is 

N-l 

^i = ^2 Ph® pi 2 ®---® pi N _ x , (3.9) 

m=l i\ !jv_i£{0,i} 

where 

Pi = trsd^X^I) for i = 0,1. 

We will use cr and 0\ to denote the normalized versions of (Jq and d\ respectively. 
We have 

^(po ® Co, pi <8> 0"i ) < D(p <g) a , pi <S> 0o) + D(pi <g) cr , pi ® a{) (3.10) 
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As N — > oo, we have D(a , o~i) —> and so D(p ® cr , p\ <8> ai) — >■ .D(po) Pi)- Since 
the maximum probability of distinguishing two states is a function only of the 
trace distance (see Appendix [A}, the maximum probability of distinguishing p ® 
o"o from p! (8) G\ tends, as N — > oo, to the maximum probability of distinguishing 
p from p\. The measurement that attains this maximum is that dictated by the 
protocol. We hence conclude that, in the limit of large N, the excess information 
Alice can gain by using any cheating strategy tends to zero. 

3.4.2.2 Security Against Bob 

We now consider Bob's cheating possibilities, assuming that Alice does not deviate 
from the protocol. To cheat, Bob must achieve a bias outside the range permitted. 
Let us suppose he wants to ensure that the outcome probability of satisfies 
Po > Pmax + <5, for some 5 > (the case p± >1 — p m m + 5 can be treated similarly), 
and let us suppose this can be achieved with probability 8' > 0. 

For this to be the case, there must be some cheating strategy (possibly in- 
cluding measurements) which, with probability 5', allows B 2 to identify a choice 
of i from the relevant batch of TV qubits such that the state pi of Al's ith qubit 
then satisfies 

(0|pi|0) >p max + 5. (3.11) 

If Ai's zth qubit does indeed have this property, and she chooses to test Bob's 
honesty on the relevant batch, the probability of the zth qubit passing the test is 
at most 1 — 5 2 . To see this, note that if (13.111) holds, the probability of passing 
the test is maximized if the ith state is 

(Pmax + ^|00) + (l-p max -^|ll> , (3.12) 

and Bi declares that the ith state is |^o)- The probability is then 

((Pmax(Pmax + 6))^ + ((1 " JW)(l " Pmax " S))^ < 1 ~ 5 2 . (3.13) 

However, the probability of Al's measurement outcomes is independent of 
_B 2 's actions. Hence this bound applies whether or not B 2 actually implements a 
cheating strategy on the relevant batch. Thus there must be a probability of at 
least 5'5 2 of at least one member of the batch failing A's tests. Hence, for any 
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given 5, 5' > 0, the probability that one of the ~ 2 M batches for which z — 1 fails 
Ais tests can be made arbitrarily close to 1 by taking M sufficiently large. 



3.4.3 Protocol VBCT3 

Protocol VBCT2 can be improved by using bit commitment subprotocols to keep 
Bob's choice of state secret until he is able to compare the values of z announced 
by A\ and A 2 . This eliminates the cheat-evident attack discussed in the last 
section, and defines a protocol which we conjecture is unconditionally secure. We 
use the relativistic bit commitment protocol RBC2 that is defined and reviewed 
in |22 1 . 



Protocol VBCT3 



1. B\ creates N states, each being either |^o) = «o 1 00) + /3o |11) or = 
ol\ |00) + /3i 1 1 1 > , with {a ,«i,/3o,/3i} 6 K + , and a- + 0? = 1. The states 
are chosen with probability half each. Bi and B 2 both know the identity 
of the zth state, since B\ uses the shared random string y to make his 
random choices. B\ sends the second qubit of each state to A\. The values 
of ao; 0o, oti and 0\ are known to both Alice and Bob. 

2. Alice decides whether to test Bob's honesty, which she codes by choosing 
the bit value z — 1, or to trust him, coded by z = 0. She selects z = with 
probability 2~ M . A\ and A 2 simultaneously inform Bi and B 2 of the choice 
of z. 

3. B\ and B 2 broadcast the value of z they received to one another. 

4. If Bi received z — 1 from Ax, he sends the first qubit of each state to 
Ax, along with a classical bit identifying the state as l^o) or l^i)- If B 2 
received z = 1 from A 2 , he sends A 2 a classical bit identifying the state as 
|"0o) or l^i). These communications are sent quickly enough that Alice is 
guaranteed that each of the Bi sent their transmission before knowing the 
value of z sent to the other. A 2 broadcasts the classical data to Ax who tests 
that the quantum states are those claimed in the classical communications 
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by carrying out the appropriate projective measurements. If not, she aborts. 
If so, the protocol restarts at Step [TJ B\ creates a new set of iV states and 
proceeds as above. 

5. If z = 0, A 2 waits for time ¥ in the stationary reference frame of B 2 before 
starting a series of relativistic bit commitment subprotocols of type RBC2 
by sending the appropriate communication (a list of suitably chosen random 
integers) to B 2 . B 2 verifies the delay interval was indeed y, to within some 
tolerance. 

6. B 2 continues the RBC2 subprotocols by sending A 2 communications which 
commit Bob to the value of i that defines the state to use for the coin toss. 

7. B\ and B 2 then wait a further time by which point they have received 
the signals sent in Step |3j They then check that the z values they received 
from the Ai are the same. If not, they abort the protocol. 

8. B\ and B 2 send communications to A\ and A 2 which unveil the value of % 
to which they were committed, and hence reveal the state chosen for the 
coin toss. If the unveiling is invalid, Alice aborts. 

9. Ai and £>i measure their halves of the zth state in the {|0) , |1)} basis to 
define the outcome of the coin toss. 

(10. As an optional supplementary post coin toss security test, Bi asks A\ to 
return her qubits from all states other than the zth. He then tests that 
the returned states are those originally sent, by carrying out appropriate 
projective measurements. If the tests fail, he aborts the protocol.) 

3.4.3.1 Security Against Alice 

In this modification of Protocol VBCT2, there is no longer any advantage to Alice 
in cheating by arranging that one of the Ai sends z = and the other z — 1. Such 
an attack will be detected with certainty, as is the case with Protocol VBCT2. 
Moreover, since Bob's chosen value of i is encrypted by a bit commitment, which 
is only unveiled once the Bi have checked that the values of z they received are 
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identical, Alice gains no information about Bob's chosen bias from the attack. 
The bit commitment subprotocol RBC2 is unconditionally secure against Alice 



271 ] . since the communications she receive are, from her perspective, uniformly 



distributed random strings. 

(As in the case of VBCT2, technically speaking, Alice has another possible 
attack: she can follow the protocol honestly up to Step [10] and then, once she 
learns Bob's chosen state, intentionally try to fail Bob's tests by altering her 
halves of the remaining states in some way. By so doing, she can cause the 
protocol to abort after the coin toss outcome is known. Again, though, this gives 
her no advantage.) 

The protocol therefore presents Alice with no useful cheating attack. 



3.4.3.2 Security Against Bob 

Intuitively, one might expect the proof that VBCT2 is secure against Bob to 
carry over to a proof that VBCT3 is similarly secure, for the following reasons. 
First, the only difference between the two protocols is that Bob makes a com- 
mitment to the value of i rather than announcing it immediately. Second, when 
the bit commitment protocol RBC2 is used, as here, just for a single round of 
communications, it is provably unconditionally secure against general (classical 
or quantum) attacks by Bob. 

To make this argument rigorous, one would need to show that RBC2 and 
the other elements of VBCT3 are securely composable in an appropriate sense: 
i.e., that Bob has no collective quantum attack which allows him to generate and 
manipulate collectively the data used in the various steps of VBCT3 in such a 
way as to cheat. We conjecture that this is indeed the case, but have no proof. 



3.4.4 Protocol VBCT4 

Classical communications and information processing are generally less costly 
than their quantum counterparts, so much so that, in some circumstances, it is 
reasonable to treat classical resources as essentially cost free compared to quan- 
tum resources. It is thus interesting to note the existence of a classical relativistic 
protocol for VBCT, which is unconditionally secure against classical attacks, and 
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which we conjecture is unconditionally secure against quantum attacks. The pro- 
tocol requires Alice and Bob each to have two appropriately located agents, A\, 
A2 and Bi, B2. 

Protocol VBCT4 

1. Bob generates a 2M x iV matrix of bits such that each row contains either 
a^N zero entries or a\N zero entries, these being positioned randomly 
throughout the row. The rows are arranged in pairs, so that, for m from 
to (M — 1), either the 2mth row contains a^N entries and the (2m + l)th 
contains afN, or vice versa. This choice is made randomly, equiprobably 
and independently for each pair. The matrix is known to both Bi and B 2 
but kept secret from Alice. 

2. Bob then commits each element of the matrix separately to Alice using 



the classically secure relativistic bit commitment subprotocol RBC2 271 ] . 
initiated by communications between A2 and B 2 . 

3. A\ then picks M — 1 pairs at random. She asks B\ to unveil Bob's commit- 
ment for all of the bits in these pairs of rows. 

4. The RBC2 commitments for the remaining bits are sustained while A\ 
and A 2 communicate to verify that each unveiling corresponds to a valid 
commitment to either or 1. Alice also checks that each unveiled pair 
contains one row with a$N zeros and one with a\N zeros. If Bob fails 
either set of tests, Alice aborts. 

5. If Bob passes all of Alice's tests, B\ picks the remaining row corresponding 
to the bias he desires, and A 2 simultaneously picks a random column. They 
inform Ai and B 2 respectively, thus identifying a single matrix element 
belonging to the intersection. 

6. Bob then unveils this bit, which is used as the outcome of the coin toss. 
The remaining commitments are never unveiled. 
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3.4.4.1 Security 

The above protocol shows that, classically, bit commitment can be used as a 
subprotocol to achieve VBCT. The proof that RBC2 is unconditionally secure 



against classical attacks 27J can be extended to show that Protocol VBCT4 
is similarly secure. RBC2 is conjectured, but not proven, to be secure against 
general quantum attacks. We conjecture, but have no proof, that the same is 
true of Protocol VBCT4. 



3.5 Summary 

We have defined the task of variable bias coin tossing, illustrated its use with a 
couple of applications, and presented four VBCT protocols. The first, VBCT1, 
allows VBCT for a limited range of biases, and is unconditionally secure against 
general quantum attacks. The second protocol, VBCT2, is defined for any range 
of biases and guarantees cheat-evident security against general quantum attacks. 
The third, VBCT3, extends the second by using a relativistic bit commitment 
subprotocol, and we conjecture that it is unconditionally secure against general 
quantum attacks. 

The fourth protocol, VBCT4, is classical, and is based on multiple uses of 
a classical relativistic bit commitment scheme which is proven secure against 
classical attacks. It can be shown to be unconditionally secure against classical 
attacks. The relevant relativistic bit commitment scheme is conjectured secure 
against quantum attacks, and we conjecture that this is also true of Protocol 
VBCT4. 

Variable bias coin tossing is a simple example of a random one-input two-sided 
secure computation. The most general such computation is what we have termed 
a variable bias n-faced die roll. In this case, there is a finite range of n outputs, 
with each of Bob's inputs leading to a different probability distribution over these 
outputs. In other words, Bob is effectively allowed to choose one of a fixed set of 
biased n-faced dice to generate the output, while Alice is guaranteed that Bob's 
chosen die is restricted to the agreed set. 



75 



3.5 Summary 



The protocols VBCT2, VBCT3 and VBCT4 can easily be generalized to 
protocols denning variable bias n-faced die rolls. Thus, to adapt protocols VBCT2 
and VBCT3 to variable bias die rolling, we require Bob to choose a series of states 
from the set {iV't) = YljZo a t lii)K=i) where r is the number of dice in the al- 
lowed set and where (c^) 2 defines the probability of outcome j for the zth dice 
(we take {o^} to be real and positive). The protocols then proceed similarly to 
those given above, defining protocols which we conjecture to be cheat-evidently 
secure and unconditionally secure respectively. 

To adapt Protocol VBCT4, we require that the matrix rows contain appropri- 
ate proportions of entries corresponding to the various possible die roll outcomes. 
We conjecture that this protocol is unconditionally secure. 

As we noted earlier, variable bias n-sided die rolling is the most general one- 
input random two-sided two party single function computation. Our conjectures, 
if proven, would thus imply that all such computations can be implemented with 
unconditional security. 
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Chapter 4 



Secure Two-Party Classical 
Computation 

"An essential element of freedom is the right to privacy, a right that 
cannot be expected to stand against an unremitting technological at- 
tack. " - Whitfield Diffie 

4.1 Introduction 

Two wealthy and powerful businessmen wish to know who is the richest. They 
are highly secretive about their bank balances, and do not wish to disclose more 
information than that necessarily implied by the outcome. Does there exist a 
sequence of exchanges of (quantum) information that implements this task? This 
is an example of a secure two-party computation. In this chapter, we consider 
a range of such computations and ask whether they can be implemented with 
unconditional security. 

A general introduction to secure two-party computation has been given in 
Section [32J In this chapter, we continue to focus on single function computations. 
We will drop the qualifier single function — all functions in this chapter can be 
assumed to take this form unless otherwise stated. The main focus is on two- 
input functions for which the two-sided deterministic and the one-sided and two- 
sided non-deterministic cases will each be discussed separately (see Section 13.21 
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for definitions). We present a cheating attack that renders a large subset of 
these functions insecure on the grounds that this attack allows one party to gain 
more information about the other's input than is implied by the outcome of the 
computation. 



4.2 Security Definitions In Secure Multi-Party 
Computation 

Phrasing security definitions for secure multi-party computations requires some 
care. It is not sufficient (but is necessary), for example, to demand that the 
amount of information divulged to a dishonest party in an implementation of 
a protocol be less than that implied by the honest outcome, since the type of 
information may also be important. In this section, we discuss security defi- 
nitions which sufficiently restrict both the amount and type of information. In 
essence, the idea is that a protocol is secure if any information one party can get 
by deviating from the protocol could have been derived from their output. 

It may also be advantageous for one party to deviate from the protocol in order 
to influence its outcome, in effect changing the computation being performed. A 
secure protocol must also protect against this possibility. Furthermore, we would 
like a security definition which guarantees that when the protocol is used as a 
component of a larger protocol, it remains secure. The task of proving security 
of the larger protocol can then be reduced to that of its sub-protocols, together 
with an argument that the composition of such protocols performs the desired 
task. 



The universal security framework of Canetti 5l|, and the reactive simulata- 



bility framework of Backes, Pfitzmann and Waidner |52|, [53| try to capture this 



idea in a classical context and have recently been extended and used in quantum 



scenarios 



5J-|56[. Following 57J, we define the following types of security. 



Definition 4.1. (Stand-alone security) For a proposed protocol, one gives an 
ideal behaviour. One then demands that for every attack against a real execution 
of the protocol, there is an equivalent attack against the ideal, in the following 
sense. Suppose we have a black box implementing the ideal. Then, for any 
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attack on the real protocol, there must exist a simulator which, when used in 
conjunction with the ideal protocol can generate exactly the same view*] as present 
after the attack on the real execution. If some part of the view is probabilistic, 
the simulator must be able to generate a view whose joint distribution with the 
computation's input is identical to that of the real protocol. Furthermore, there 
must exist a simulator that can, in conjunction with a black box implementing 
the ideal, generate any intermediate states present in the real execution if both 
parties are honest. 

Definition 4.2. (Universally composable security) The requirements of 
stand-alone security hold when the protocol is used in any environment (i.e., 
clS 8b subprotocol of any larger protocol). 

The additional requirement for universal composability allows us to replace 
the protocol by its ideal in any security analyses, and is hence highly desirable. 
However, such a requirement is rarely achievable, and often one has to make 
do with stand-alone security. The difficulty of satisfying universally composable 
security definitions is highlighted in Section 14.2.11 

In order to prove security under either the stand-alone or universally compos- 
able definitions, one needs to produce a suitable description for the behaviour of 
an ideal protocol. Such descriptions are often given by invoking a trusted third 
party (TTP). While such behaviours are called "ideal", they may not be ideal 
in the sense of being the ultimate demands we might impose upon a protocol. 
Such demands often have to be weakened in order to find a set that are feasible. 
We give two ideals that might be used for computations involving any number of 
parties, before specializing to the two-party case. We begin with ideals relevant 
to classical protocols. Ideal Behaviour [1] represents a true ,deag 

Ideal Behaviour 1. 

1. The TTP obtains all of the data from all of the parties. 



lr £h& view of one party is their complete set of quantum states and classical values. 
2 The ideals we give are phrased for general computations, but can easily be specialized to 
the single-function case. 
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2. It extracts their correct inputs from this data and performs the computation. 

3. The TTP returns to each party their individual outputs. 

It is clear that such a behaviour places unduly strong requirements on a pro- 
tocol such that it could never be mimicked by a protocol in the real world. A 
party cannot even lie about their input in such a model! Instead, the following 



(weakened) model has been suggested 58j in order to capture some attacks that 
are impossible to avoid. 

Ideal Behaviour 2. 

1. The dishonest parties share their original inputs and decide on replaced 
inputs which they send to the TTP. The honest parties send their inputs. 

2. The TTP uses the inputs to determine the corresponding outputs, and sends 
them to the relevant parties. 

3. The dishonest parties may collect their outputs of the TTP and compute 
some function dependent on these and their initial inputs. 

Let us emphasize two important points. Firstly, cheating in a protocol that 
satisfies the requirements of Ideal Behaviour [2] is only possible by make a replaced 
input. The dishonest parties are not allowed to coerce the TTP into generating 
a different functionality. Secondly, in a real implementation of such a protocol, 
each party will receive more than just their output. In a secure protocol, any 
additional data received must be of no use. This is captured in the security 
definition by the simulator. 

For two-party protocols, it is known that such a behaviour cannot be realized, 
and hence Ideal Behaviour [2] is often only applied for the case of honest majority 
58[ . The reason is that one has to take into account each party's ability to abort 



within the ideal behaviour. In a real protocol, either party may abort, and, in 
particular, they may do so at such a point where they have a knowledge advantage 
over the other (except in the case of single output computations, where one of the 



For instance, in a computation, where one is supposed to input their bank balance, the 
correct input is the actual balance: an unscrupulous user may lie about their input. 
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formation). This attack falls outside the scope 
introduces Ideal Behaviour [3] which tries to 



58 



parties should never gain any in 
of Ideal Behaviour El Goldreich 
allow for this: 

Ideal Behaviour 3. 

1. Each party sends its input to the TTP. A dishonest party may replace their 
input or send no input (abort). 

2. TTP determines the corresponding outputs and sends the first output to the 
first party. 

3. The first party may (if dishonest) tell the TTP to abort, otherwise it tells 
it to proceed. 

4- If told to proceed, the TTP gives the second output to the second party. 
Otherwise it does nothing. 

It is known that, assuming the existence of enhanced trapdoor functions, 
protocols for any secure two-party computation can be constructed that emulate 



Ideal Behaviour [3] with computational security 58(. When unconditional security 
is sought, this ideal behaviour is suitable for a single- round protocol, or one 
in which no information is given away until the last step (in which case early 
abort is equivalent, in terms of the information gain of both parties, to not going 
through with the protocol). However, this ideal behaviour neglects the possibility 
that either party may abort at any time. One could imagine protocols in which 
information is built up gradually by each party in each round of communication, 
in such a way that one party can only have a small amount more than the other 



at any given time 50( . One might then invoke an instance of Ideal Behaviour [3] 
for each round of the protocol. This seems unduly cumbersome to build into a 
definition of a secure computation. An ideal whereby abort is allowed at any step 
is desirable. 

We introduce the following ideal behaviour in order to capture this (special- 
izing now to the two-party case): 
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Ideal Behaviour 4. 

1. Each party sends its input to the TTP, along with a number, a, representing 
an additional function to compute at the end (if desired). (If both parties 
submit numbers, the lowest is taken. Additionally, Alice can only submit 
even numbers, and Bob odd ones.) 

2. The TTP performs the correct function based on the inputs supplied to 
generate the correct outputs, and kg. 

3. The TTP applies a further function to each of the outputs before sending 
(a, f a (kA)) to Alice and (a,g a (k B )) to Bob. 

The additional function to be computed represents the output that would be 
generated by a protocol which is aborted after step a. The behaviour has been 
phrased above in order to emphasize that the output generated by early aborting 
gives no extra information and no other type of information than that generated 
by following the protocol honestly, in the sense that the correct final output can 
be used to simulate any of the intermediate ones. 

When extending such definitions to quantum protocols, there are a number 
of additional considerations. The ideal behaviour in a quantum protocol may in 
many cases be weaker than its classical counterpart. This comes about because: 

1. A real protocol cannot mimic a TTP that does measurements, since in the 
real implementation of a protocol, it is always possible to keep all measure- 
ments at the quantum level until the end. l 

2. A real protocol cannot perform classical certification of the inputs (i.e., 
cannot abort when a superposition is input instead of a single member of 



the computational basis) [59 1. 



4 Even though honest parties can be trusted to make measurements as the protocol progresses, 
it is equivalent when performing a security analysis to assume that they kept their measurements 
quantum until the end of the protocol, and hence we can restrict to protocols for which this is 
the case. 
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A classical protocol is able to circumvent such issues by implicitly making the 
(technological) assumption that all parties can only manipulate classical data. 

Consider the following ideal behaviour for a quantum protocol implementing 
a computation: 

Ideal Behaviour 5. 

1. Both parties send their inputs to the TTP. If dishonest, the inputs may be 
quantum (i.e., superpositions) rather than members of an orthogonal basis. 

2. The TTP does a unitary operation on the inputs. For example, in a two- 
sided deterministic computation the unitary might be defined byUf \i) \ j) |0) |0) = 
K) \i) W) where f indexes the function being computed, i is Alice's input, 

j is Bob's input and k = f(i,j) is the corresponding outpu%. 

3. The TTP returns the first and third Hilbert spaces to Alice, and the second 
and fourth ones to Bob. 

This is in fact stronger than we can achieve because it does not allow for early 
abort. Following arguments we presented in the classical case, we should modify 
the steps to allow Alice to choose whether Bob gets his output, and make further 
modifications to account for early aborts, in the spirit of Ideal Behaviour |U 

Under Ideal Behavioural cheating is restricted to making a dishonest input, 
and to making an alternative measurement on the output. We will show that 
such cheating is enough to break any reasonable requirements one might make 
for a large class of secure classical computations. Points 1 and 2 above ensure 
that one cannot weaken the ideal behaviour such that this attack fails. Hence 
quantum protocols for these classes of secure classical computation do not exist. 

One special case is that of a one-input computation. In the two-party case, 
such a computation must be both random and two-sided (otherwise it is trivial). 
In Chapter [21 we conjectured that such computations (variable bias n-faced die 
rolls) are possible with unconditional security. Our definitions there were such 
that (if we ignore the supplementary tests, which asymptotically were not neces- 
sary for security) there are no useful ways to abort, and so the behaviour realized 

5 There are possible variants of the chosen unitary operation (see Section 14.2.21) . 
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is that of Ideal Behaviour [2J (In Ideal Behaviour [21 either party can force the 
outcome to be abort by refusing to make an input to the TTP in the first place.) 

Our protocols for variable bias n-faced die rolling were relativistic. Exploiting 
relativistic signalling constraints does not affect the type of behaviour realizable, 
in either quantum or classical protocols. Rather, using a relativistic protocol 
affects the range of computations possible within each model. For instance, we 
cannot mimic a TTP that performs coin tossing in a non-relativistic world, but 
can in a relativistic one. This is distinct from the types of behaviour in which we 
embed the TTP. 



4.2.1 The Role Of The Simulator 

Let us demonstrate the importance of the simulator for universally composab 



security definitions. For this we will use the task of extending coin tosses [57]. 
In such a task, Alice and Bob are given access to a finite source of coin tosses, 
guaranteed to be independent and uniformly distributed. Their goal is to ex- 
change information and use this source in order to generate a shared random 
string longer than that which is available from the source alone. 

The protocol takes place in a classical environment in which Alice and Bob are 
given access to the device supplying coin tosses. This device operates according 
to the following ideal. 

Ideal Functionality 4.1. 

1. The TTP waits until it has been initialized by both parties, after which, it 
generates a random string, R. 

2. If Alice is dishonest, she can choose when the TTP gives R to Bob, other- 
wise, the TTP does so immediately. 

3. Similarly, if Bob is dishonest, he can choose when the TTP gives R to 
Alice, otherwise, the TTP does so immediately. 

The following classical non-relativistic protocol is employed to generate a 
shared random string longer than R, using a single call of the above ideal at 
the appropriate time. 
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Protocol 4.1. 

1. Alice sends a random string, a, to Bob. 

2. Bob receives Alice's string and sends a random string, b, to Alice. Strings 
a and b have the same length. 

3. Alice and Bob supply initiation signals to a device (device 1) that supplies 
perfect coin tosses. 

4. Device 1 supplies R to Alice and/or Bob in accordance with Ideal Func- 
tionality HJ3 i.e., depending on whether either party is dishonest. 

5. Alice and Bob use R to perform privacy amplification on the concatenated 
string, (a,b). This generates a final string, s, that is (virtually) uniform 
and independent of R, a and b. The final output of the protocol is the 
concatenation, (R,s). 



Security of this protocol is discussed in 57| • It relies on the fact that R is not 
known to Alice and Bob until after they have exchanged strings, and then follows 
from results on privacy amplification (see Section n.4.2j) . 

We will show that this protocol is not sufficient to realize a modification of 
Ideal Functionality POl where R is replaced by (R, s). This follows because there 
exists an interaction with a system in the environment that Bob can follow in the 
real protocol, but cannot implement in the ideal. 

Consider an instance of the real protocol, and suppose Bob has access to 
an additional device (device 2) with which he interacts only once. He inputs 
a into this device and it returns b' to him, with b' being a function of a which 
he does not know. Bob sends V to Alice in place of b, after which the protocol 
proceeds with both parties behaving honestly. If he follows this strategy, the final 
string s' is distributed uniformly, regardless of the function applied by the extra 
device. Given an implementation of the ideal protocol, which outputs Sj, it is 
easy for Bob to simulate a and b. However, if Bob simulates a, and then inputs 
this into device 2, the string b' he is returned will not necessarily be compatible 
with the string returned by the protocol (i.e. (R, fn(a,b')) may not equal sjQ). 



6 More generally, the joint distributions over all variables are different in the two cases. 
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Figure 4.1: The sequence of exchanges between Alice and Bob in the protocol for 
extending coin tosses (Protocol 14. ip . where Bob interacts with a second device 
to choose his string. Device 1 is the supplier of perfect coin tosses, in the form 
of string R. In the original form of the protocol, device 2 is not used, and Bob 
sends a random string, b, of his own choosing to Alice. 



It is impossible to correctly simulate b' and hence the protocol does not satisfy 
universally composable security requirements. The entire procedure is shown in 
Figure 14.11 

While a cheating strategy of this kind is unlikely to present a problem in 
any future application, it is possible that more significant attacks exist. The 
universally composable security definition relieves us of such worries — if such a 
security definition is satisfied, then one can replace all instances of the protocol 
with the ideal without affecting security. 

Unfortunately, it is rare that universally composable security can be realised. 
The type of attack given in this section is detrimental in many contexts. Pro- 
tocols in which one party must respond to information received by the other 
are particularly vulnerable in this way. One exception is the case of a classical 
protocol to give a zero-knowledge proof for the graph non-isomorphism problem 



60] , which we discuss in Appendix [Bl The reason that this protocol escapes the 



aforementioned attack is that one party (the prover) always has the freedom to 
deterministically choose the output of the protocol. 

Relativistic protocols can provide a way to avoid this type of attack. In a 
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non-relativistic situation in which one party can pass information they receive 
through an external device before responding, it may be possible to instead use a 
relativistic protocol in which the response is supplied by a distant agent of that 
partjij. As an example, suppose we demanded that Step [2] of Protocol 14.11 occurs 
at spacelike separation to the point where Bob receives a (which can be done 
by having send it to A2 in a relativistic protocol). The attack involving the 
second device cannot then be implemented in the real world and we do not need 
to provide a simulator for it in the ideal case. 



4.2.2 Computational Model 

We will use a black box model for secure computation. A black box is a hypo- 
thetical device that satisfies a certain set of ideal functionality requirements. It 
features an authentication system (e.g., an unalterable label) so that each party 
can be sure of the function it computes. We will give a security requirement, 
and show that even if black boxes satisfying Ideal Behaviour were to exist, this 
requirement cannot, in general, be satisfied. 

We now comment on the possible forms of unitary operation that could imple- 
ment a particular computation. In a two-sided, non-deterministic computation, 
one seeks the functionality given by Uf, defined by 

U f \i) A \j} B |0> |0> = \i) A \j) B <• \kk) AB • (4.1) 

k 

In practice, a computation might generate additional states, and one should 
consider instead Uf defined by 

Uf \i) A \3)b |0> |0> |0> = \i) A \j) B <• \kk) AB \^) AB « ( 4 - 2 ) 

k 

where the final Hilbert space corresponds to an ancillary system the black box uses 
for the computation (and has arbitrary dimension). In the protocol mimicking 
such a box, this final state must be distributed between Alice and Bob in some 

7 This will only work for protocols in which the response is supposed to be independent of 
the received information. 
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way, such that the part that goes to Bob contains no information on Alice's input, 
and vice versa. 

If this second unitary operation replaces that given in Ideal Behaviour [51 then 
again each party has two ways of cheating — inputing a superposition of honest 
states or using a different measurement on the output. We now show that under 
such attacks, insecurity of functions under Uf implies insecurity under Uj, and 
hence we consider only the former. 

Consider the case where Alice makes a superposed input, \i), rather than 

a single member of the computational basis. Then, at the end of the protocol, 
her reduced density matrix takes either the form 

o-j = J^^i^iJ^i'jTl^'l ® \ k )( k \, ( 4 -3) 

or 

o>. = ^4^.(4^)1^1 ® \k)(k\ ® trsl^XVf'jl, (4.4) 

,k 

the first case applying to Uf, and the second to Uj. 

Alice is then to make a measurement on her state in order to distinguish 
between the different possible inputs Bob could have made, as best she could. 
We will show that there exists a trace-preserving quantum operation that Alice 
can use to convert <t'- to uj for all j. Therefore Alice's ability to distinguish 
between {&j}j is at least as good as her ability to distinguish between 

In order that the protocol functions correctly when both Alice and Bob are 
honest, we require trsl^jX^jl = P l ' k to be independent of j (otherwise Alice 
can gain more information on Bob's input than that implied by A; by a suitable 
measurement on her part of this state). By expressing p l,k in its diagonal basis, 
P i,k = Em^m^VXmW^) 1 , we have 

W*> = E Ha ® U^ k \m) B , (4.5) 

m 

where {1^)^}™ form an orthogonal basis set on Alice's system and likewise 
{\m) B } m is an orthogonal basis for Bob's system. Bob then holds 

trMM.l = E X ™ U b' k \m){m\ B {Uf k y. (4.6) 

m 
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This must be independent of i, hence A^f and U^' k must be independent of i. 
Thus 

K> = E V^(^J* ® Ma Wb ■ (4.7) 

m 

It hence follows that there is a unitary on Alice's system converting (V^j) to 
|"0f 2 •) for all ii, 12, and that furthermore, this unitary is independent of j. Like- 
wise, there is a unitary on Bob's system converting V^ji) to |V^j 2 ) ^ or au -^j 
with this unitary being independent of i. 

Returning now to the case where Alice makes a superposed input. The final 
state of the entire system can be written 

E 1^ li>a 1^ \m) A W/ \m) B ). (4.8) 

Alice can then apply the unitary 

to her systems leaving the state as 

E a Ai \*)a \3)b \ k ) A \k) B E V 7 ^ Ha {U j B k \m) B ). (4.10) 

i,k m 

Alice is thus in possession of density matrix 

Y^^>iM',y\^'\ ® \ k )( k \®p k A, (4.H) 

i,i',k 

where p\ = Ylim^m\ m ){ m \A- Hence, on tracing out the final system, we are left 
with <jj as defined by (14.31) . 

We have hence shown that there is a (j-independent) trace-preserving quan- 
tum operation Alice can perform which converts cr'- to a,j for all j. Hence Alice's 
ability to distinguish between Bob's inputs after computations of the type U* is 
at least as good as her ability to distinguish Bob's inputs after computations of 
the type Uf, and so, under the type of attack we consider, insecurity of com- 
putations specified by Uf implies insecurity of those specified by U\. We will 
therefore consider only type Uf in our analysis. An analogous argument follows 
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for the one-sided case, and likewise for the deterministic cases (which are special 
cases of the non-deterministic ones). 

In this chapter we will show that the following security condition can be broken 
for a large class of computation. 

Security Condition. Consider the case where Bob is honest. A secure com- 
putation is one for which there is no input, together with a measurement on 
the corresponding output that gives Alice a better probability of guessing Bob's 
input than she would have gained by following the protocol honestly and mak- 
ing her most informative input. This condition must hold for all forms of prior 
information Alice holds on Bob's input. 



4.3 Deterministic Functions 



We first focus on the deterministic casq_|. Lo showed that two-input deterministic 
one-sided computations are impossible to compute securely [50| , hence only two- 
sided deterministic functions remain^. Suppose now that the outcome of such a 
protocol leads to some real- world consequence. In the dating problem 61] . for 
example, one requires a secure computation of k = i x j, where i,j G {0, 1}. If 
the computation returns k = 1, then the protocol dictates that Alice and Bob 
go on a date. This additional real-world consequence is impossible to enforce, 
although naturally, both Alice and Bob have some incentive not to stand the 
other up, since this results in a loss of the other's trust. A cost function could be 
introduced to quantify this. Because suitable cost assignments must be assessed 
case by case, it is difficult to develop general results. To eliminate such an issue, 
we restrict to the case where the sole purpose of the computation is to learn 
something about the input of the other party. No subsequent action of either 
party based on this information will be specified. 

We say that a function is potentially concealing if there is no input by Alice 
which will reveal Bob's input with certainty, and vice-versa. If the aim of the 



8 We refer the reader to Section 13.21 for descriptions of the various types of function we 
consider. 

9 Lo did not consider relativistic cryptography, but his results apply to this case as well (sec 
the discussion in Section EOj) . 
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computation is only to learn something about the input of the other party, and 
if Bob's data is truly private, he will not enter a secure computation with Al- 
ice if she can learn his input with certainty. We hence only consider potentially 
concealing functions in what follows. In addition, we will ignore degenerate func- 
tions in which two different inputs are indistinguishable in terms of the outcomes 
they afford. If the sole purpose of the computation is to learn something about 
the other party's input, then, rather than compute a degenerate function, Alice 
and Bob could instead compute the simpler function formed by combining the 
degenerate inputs of the original. 

An alternative way of thinking about such functions is that they correspond to 
those in which there is cost for ignoring the real world consequence implied by the 
computation. At the other extreme, one could invoke the presence of an enforcer 
who would compel each party to go ahead with the computation's specified action. 
This would have no effect on security for a given function (a cheating attack that 
works without an enforcer also works with one) but introduces a larger set of 
functions that one might wish to compute. There exist functions within this 
larger set for which the attack we present does not work. 

We specify functions by giving a matrix of outcomes. For convenience, the 
outputs of the function are labelled with consecutive integers starting with 0. We 
consider functions that satisfy the following conditions: 

1. (Potentially concealing requirement) Each row and each column must con- 
tain at least two elements that are the same. 

2. (Non degeneracy requirement) No two rows or columns should be the same. 

For instance, if i,j G {0,1,2} (which we term a 3 x 3 function), the function 
f(i,j) = 1 — Sij is represented by 




i 







1 



2 



J 




1 

2 




1 
1 



1 

1 



1 
1 
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This function is potentially concealing, and non-degenerate. 

We consider the case of 3 x 3 functions. We first give a non-constructive proof 
that Alice can always cheat, and then an explicit cheating strategy. 

Let us assume that we have a black box that can implement the protocol, i.e., 
one that performs the following operation: 



The states are mutually orthogonal, as are the members of the sets {\j) B }, 

{\f(i, j)) A } and {\f{i,j)) B }- This ensures that Alice and Bob always obtain the 
correct output if both have been honest. The existence of such a black box would 
allow Alice to cheat in the following way. She can first input a superposition, 
Y^f=o a i N)a m pl ace °f K)a- Her output from the box is one of Po,Pi,P2, the 
subscript corresponding to Bob's input, j, where (using the shorthand tr^d^)) = 



\ -i=o / 

Alice can then attempt to distinguish between these using any measurement of 
her choice. 

The main result of this section is the following theorem. 

Theorem 4.1. Consider the computation of a 3 x 3 deterministic function sat- 
isfying conditions U\ and For each function of this type, there exists a set of 
co- efficients, {at}, such that when Alice inputs Yll=o a i \^)a zrz ^° ^ e protocol, there 
exists a measurement that gives her a better probability of distinguishing the three 
possible (j dependent) output states than that given by her best honest strategy. 

Proof. We will rely on the following lemma. 

Lemma 4.1. All 3x3 functions satisfying conditions 1 and 2 can be put in the 
form of the function in Table \4-l\ 

Proof. The essential properties of any function are unchanged under permuta- 
tions of rows or columns (which correspond to relabelling of inputs), and under 
relabelling of outputs. In order that the function is potentially concealing, there 



U f \i) A \j) B \0) \0) = \i) A \j) B \f(i,j)) A \f(i,j)) 



(4.12) 



tr B (\nn) 




(4.13) 
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i 





1 2 










a 


J 


1 





b . 




2 


1 


b 



Table 4.1: This function can be taken as the most general 3x3 function satisfying 
conditions 1 and 2, where a ^ b, and a = or 6 = or 6 = 1. The dots represent 
unspecified (and not necessarily identical) entries consistent with the conditions. 

can be at most one column whose elements are identical. By relabelling the 
columns if necessary, we can ensure that this corresponds to i = 2. Relabelling 
the outputs and rows, if necessary, the column corresponding to i = has entries 
(/(0, 0), /(0, 1), /(0, 2)) = (0, 0, 1). The column corresponding to i = 1 then must 
have entries (a, a, 6) or (a, 6, 6), with a ^ b. In the case (a, a, 6), the i = 2 column 
must have the form (c, d, d), for c ^ d, in which case we can permute the i — 1 
and i = 2 columns to recover the form (a, 6, 6) for the i — 1 column. Relabellings 
always put such cases into forms with a = or 6 = or 6=1. Q£D 

Suppose Alice inputs ^= (|0) + |1)) into a function of the form given in Table 
14.11 After tracing out Bob's systems, Alice holds one of 

Po = ^(|00)(00| + 5 a , (|00)(10| + |10)(00|) + |la)(la|) (4.14) 

Pi = ^(|00)(00| + ^ (|00)(10| + |10}(00|) + |16)(16|) (4.15) 

P2 = ^(|01)(01| + 5 M (|01)(11| + |11)(01|) + |16)(16|). (4.16) 

Measurement using the set {E^k = \ik)(ik\} in effect reverts to an honest strategy. 
The probability of correctly guessing Bob's input using this set is the same as 
that for Alice's best honest strategy. These operators can be combined to form 
just three operators, {Ej>} such that a result corresponding to Ey means that 
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Alice's best guess of Bob's input is f. Then 

E = a 1 |00)(00| + 5 a)0 |10)(10|+5 a)1 |ll)(ll| + 5 a)2 |12)(12| + 

<M13>(13| (4.17) 

E 1 = (1 - q:i)|00X00] + Q£ 2 5 6 , |10X10| + a£ 3 <5 6jl |llXll| + 

a 4 ^ 2 |12)(12| + a 5 5 M |13)(13| (4.18) 

E 2 = t-E Q -E 1 , (4.19) 

where the {on} are arbitrary parameters, < a\ < 1, and do not affect the success 
probability. We will show that such a measurement is not optimal to distinguish 
between the corresponding {pj}- This follows from Theorem 11.11 
Equations (jl.2p and (11. 3ft imply respectively, 

(ot,\ = or a 2 = or 6^0) and (cti = 1 or a ^ 0) and 

(ai = 1 or « 2 = 1 or b ^ 0) and (a 3 = or 6^1), (4.20) 

and, 

(«i = or (6 7^ and a ^ 0)) and (6=1 or a 3 > |) and 
(a = 1 or «3 = 1 or 6^1) and (6 = or a 2 (l — «i) > |) and 
(«i = 1 or 6^0 or a 2 = 0) . (4.21) 



In addition, because the function is in the form given in Table 14. 1[ we also have 

(a = or 6 = or 6 = 1) and a ^ 6. (4.22) 

The system of equations ( I4.20l4"4~2"2~]) cannot be satisfied for any values of a, 6, {oik}- 
Hence, the measurement operators fl4.17144TT9|) are not optimal for discriminating 
between Bob's inputs, so Alice always has a cheating strategy. Q£D 

Our proof of Theorem 14. II is non-constructive — we have shown that cheating is 
possible, but not explicitly how it can be done. Except in special cases (e.g., where 
the states {pj} are symmetric), no procedure for finding the optimal POVM 
to distinguish between states is known j^, 0]. Nevertheless, we have found a 
construction based on the square root measurement [s, 0] that, while not being 
optimal, gives a higher probability of successfully guessing Bob's input than any 
honest strategy. 
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i 





1 





Poo 


Pio 


3 1 








Poi 





Table 4.2: The entries in the table give the probabilities of output given inputs 
For example, if both parties input 0, then the output of the function is 
with probability p 00 , and 1 with probability 1 — p 00 . 



The strategy applies to the states, cr,-, formed when Alice inputs the state 
^= (|0) + |1) + |2)) into the computation. The set of operators are those corre- 
sponding to the square root measurement, defined by 

£;'=(5>J **'(l>J • ( 4 - 23 ) 

One can verify, case by case, that this strategy affords Alice a better guessing 
probability over Bob's input than any honest one for all functions of the form of 



Table 147X1 The Mathematica script which we have used to confirm this is available 



on the world wide web 



62|. 



4.4 Non-Deterministic Functions 
4.4.1 Two-Sided Case 

Initially, we specialize to the case i,j, k G {0, 1}. We specify such functions via 
a matrix of probabilities whose meaning is given in Table 14.21 For the two-sided 
case, the relevant black box implements the unitary, U, given by 



U \i) A \j) B |0> |0> = \i) A \j) B (^p- \00) AB + V / T 3 ft7 \H) ab) ■ (4-24) 

Suppose that Alice has prior information about Bob's input such that, from her 
perspective, he will input with probability r] , and 1 with probability r)i = 1—rjQ. 
The probability of correctly guessing Bob's input using the best honest strategy 
is 

p h = max I max (pijrjj) + max ((1 - Pij)^) ) . (4.25) 

i \ 3 j J 
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Denote Alice's final state by pj, where j is Bob's input. The optimal strategy to 
distinguish p and pi is successful with probability 

Pc = -(l + tr|77oPo- Wil) (4-26) 

(cf . Theorem II. ip . 

Theorem 4.2. Let Alice input ^ (|0) + |1}) and Bob input j into the computa- 
tion given in \J^.2J^ . Let Alice implement the optimal measurement to distinguish 
the corresponding p and p\ and call the probability of a correct guess using this 
measurement p c . Then, for all {poo,Poi,Pio,Pn} , there exists a value of r) such 
that p c > ph, unless, 

1- Poo = Pw and p 01 = p u , or 

2- Poo = Poi andp w = p u . 

The two exceptional cases correspond to functions for which only one party 
can make a meaningful input. We hence conclude that all genuinely two-input 
functions of this type are impossible to compute securely. 

Proof. Take r/o = I — e. For sufficiently small e > 0, (14.251) implies Ph = Vo- We 
then seek p c . The eigenvalues of rj p — rjipi are 



A± = l [a({p l , J })±^a"({p l , J }) + b({p l ,})j (4.27) 

A*± = \ ± \J^{{p~}) + b({p-})^ , (4.28) 

where a({p i:j }) = (poo+Pio)Vo-(Poi+Pn)Vu K{Pi,j}) = 4 ( ^PoiPio ~ ^PooPi i) 2 VoVu 
and pi]=l -Pij. 

For e sufficiently small, we have a ^> b > 0. Using yl + x < 1 + |, we find, 
A + > |(2a(W) + «), A_ < , p + > \{2a{{p-}) + |g§), 

and p_ < — ^^=jy, with equality iff b({p i: j}) = and b({pij}) = 0. We hence 
have | (1 + tr|?7oPo ~ ^lPil) > Vo an d so Pc > Ph, with equality iff p 00 = p w and 
Poi =Pn, or poo =Poi andpio = pn- Q£2) 

The explicit construction for the optimal cheating measurement is given in 
Appendix |A] 
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4.4.2 One-Sided Case 

For one-sided computations of non-deterministic functions, Alice can cheat with- 
out inputing a superposed state. In this case, the black box performs the unitary 

U \i) A \j) B |0) = \i) A \j) B (y^ |0) A + v/T^~ , (4.29) 

where the last qubit goes to Alice at the end of the protocol. The following 
theorem shows that such computations cannot be securely implemented. 

Theorem 4.3. Having made an honest input to the black box above, Alice's 
optimum procedure to correctly guess Bob 's input is not given by a measurement 
in the {|0) , |1)} basis, except if {pij}ij G {0, 1} for all i, j . 

Proof. From (11. 2p of Theorem ll.il if Alice inputs i — 1, the measurement opera- 
tors {|0)(0|, |1)(1|} are optimal only if 

VoVpwO- -Pw) = (1 - rjo)y/Pn{l -Pu)- (4.30) 

For this to hold for all r/o, we require that either pu = or pu = 1, and either 
Pio = or p 10 = 1. Similarly, if Alice inputs i = 0, we require either p m = or 
Poi = 1, and either p 00 = or p 00 = 1, in order that the specified measurement 
operators are optimal. Q8.D 

These exceptions correspond to functions that are deterministic, so do not 
properly fall into the class presently being discussed. Many are essentially single- 
input, hence trivial, and all such exceptions are either degenerate or not poten- 
tially concealing (see Section |4~3|) . 

Our theorem also has the following consequence. 

Corollary 4.1. One-sided variable bias coin tossing (see Chapter^) is impossible. 

Proof. A one-sided variable bias coin toss is the special case where both p 00 = p w 
and poi — Pxi- These cases are not exceptions of Theorem 14. 3[ and hence are 
impossible. Q£D 
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p(k\i) 


i 




1 







i 

2 





k 


1 





1 

2 
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1 


1 






2 


2 



Table 4.3: Probability table for oblivious transfer. 



4.4.3 Example: The Impossibility Of OT 

Here we show explicitly how to attack a black box that performs OT when used 
honestly. This is a second proof of its impossibility in a stand-alone manner (the 
first being Rudolph's 0)- 



The probability table for this task is given in Table 14.31 

In an honest implementation of OT, Bob is able to guess Alice's input with 
probability |. However, the final states after using the ideal black box are of the 
form \ifjb) = (\b) + |?)), where |0), |1) and |?) are mutually orthogonal. These 
are optimally distinguished using the POVM (E , t — E ), where 




E = - \ -1 2-V31-V3 . (4.31) 



This POVM allows Bob to guess Alice's bit with probability | ^1 + 2^1 which 
is significantly greater than §. 



4.5 Discussion 



We have introduced a black box model of computation, and have given a neces- 
sary condition for security. Even if such black boxes were to exist as prescribed 
by the model, one party can always break the security condition. Specifically, 
by inputing a superposed state rather than a classical one, and performing an 

10 Impossibility had previously been argued on the grounds that OT implies BC and hence 
is impossible because BC is. However, while this argument rules out the possibility of a com- 
posable OT protocol, a stand-alone one is not excluded. 
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appropriate measurement on the outcome state, one party can always gain more 
information on the input of the other than that gained using an honest strategy. 
In the case of deterministic functions, this attack has only been shown to work if 
the function is non-degenerate and potentially concealing. In the case where the 
sole purpose of the function is to learn something about the other party's input, 
this class of function is the most natural to consider. 

Our theorems deal only with the simplest cases of the relevant functions. 
However, the results can be extended to more general functions as described 
below. 

Larger input alphabets: A deterministic function is impossible to compute 
securely if it possesses a 3 x 3 submatrix which is potentially concealing and satis- 
fies the degeneracy requirement. This follows because Alice's prior might be such 
that she can reduce Bob to three possible values of j. This argument does not 
rule out the possibility of all larger functions, since some exist that are potentially 
concealing without possessing a potentially concealing 3x3 subfunction. Nev- 
ertheless, we conjecture that all potentially concealing functions have a cheating 
attack which involves inputing a superposition and then optimally measuring the 
outcome. 

In the non-deterministic case, all functions with more possibilities for i and j 
values possess 2x2 submatrices that are ruled out by the attacks presented, or 
reduce to functions that are one-input. Therefore, no two-party non-deterministic 
computations can satisfy our security condition. 

Larger output alphabets: In the non-deterministic case, we considered 
only binary outputs. We conjecture that the attacks we have presented work 
more generally on functions with a larger range of possible outputs. 

We have not proven that the aforementioned attacks work for any function 
within the classes analysed, although we conjecture this to be the case. Fur- 
thermore, for any given computation, one can use the methods presented in this 
chapter to verify its vulnerability under such attacks. 

Our results imply that there is no way to define an ideal suitable to realise se- 
cure classical computations in a quantum relativistic framework. Hence, without 
making additional assumptions, or invoking the presence of a trusted third party, 
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secure classical computation is impossible to realise using the usual notions of se- 
curity. The quantum relativistic world, while offering more cryptographic power 
than the classical world, as exemplified in Chapter [21 still does not permit a range 
of computational tasks. Table |4~41 summarizes the known results for uncondition- 
ally secure two-party computation. 

One reasonable form of additional assumption is that the storage power of 
an adversary is bounded. The so-called bounded storage model has been used 
in both classical and quantum settings. This model evades our no-go results 
because limiting the quantum storage power of an adversary forces them to make 
measurements. This collapses our unitary model of computation. In the classical 
bounded storage model, the adversary's memory size can be at most quadratic 
in the memory size of the honest parties in order to form secure protocols 
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64j . However, if quantum protocols are considered, and an adversary's quantum 



memory is limited, a much wider separation is possible. Protocols exist for which 
the honest participants need no quantum memory, while the adversary needs to 
store half of the qubits transmitted in the protocol in order to cheat 65]. 

In the recent literature, there have been investigations into the cryptographic 
power afforded by theories that go beyond quantum mechanics. Such theories are 
often constrained to be non-signalling. Popescu and Rohrlich investigated viola- 
tions of the CHSH inequality (see Section fl . 3 . 3 p in non-signalling theories j^J. 
Such theories are able to obtain the maximum algebraic value of the CHSH quan- 
tity, 4. The hypothetical device that achieves such a violation has subsequently 
been called a non-local box. Devices of this kind would allow substantial reduc- 
tions in the communication complexity of distributed computing tasks 67| and 
have been shown to allow any two-party secure computation 68j . One might con- 
clude that there is a further gap in cryptographic power between non-signalling 
theories and quantum ones. However, we argue that this is not justified for two 
reasons. Firstly, in non-local box cryptography, one gives such boxes for free to 
parties which need them. Secondly, no procedure for doing joint, or even alter- 
native single measurements is prescribed to a non-local box setting. To make 
a fair comparison between non-local box cryptography and standard quantum 
cryptography, one should consider a quantum scenario in which separated parties 
are given shared singlets for free, and also constrain them to make one of two 
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Type of computation 


Securely Implementable 


Comment 


Zero-input 


Deterministic 


/ 


Trivial 




Random one-sided 


/ 


Trivial 




Random two-sided 


/ 


Biased n-faced die roll 


One-input 


Deterministic 


/ 


Trivial 




Random one-sided 


X* 


One-sided variable bias n-faced die roll 




Random two-sided 


/* 


Variable bias n-faced die roll 


Two- input 


Deterministic one-sided 


X 


cf. Lo 




Deterministic two-sided 


X* 


this chapter 




Random one-sided 


x* 


this chapter 




Random two-sided 


x* 


this chapter 



Table 4.4: Functions computable securely in two-party computations using (potentially) both quantum and rela- 
tivists protocols, when unconditional security is sought. / indicates that all functions of this type are possible, X 
indicates that all functions of this type are impossible, /* indicates that a wide range of functions of this type are 
possible and conjectures made in Chapter |3] imply that all functions of this type are possible, and X* indicates that 
a wide range of functions of this type are impossible and conjectures made in this Chapter imply that all functions 
of this type are impossible. This is the version of Table 13.11 updated in light of our work. 
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measurements on each state they hold. Alternatively, one could find a new theory 
in which non-local boxes emerge as features. In the absence of such a theory, one 
should be cautious about making comparisons. 

Recently, it has been shown that any non-signalling box whose correlations 
are non-separable is sufficient for bit commitment 69|. This includes the case 
where the correlations are quantum, or indeed weaker. Since quantum (non- 
relativistic) bit commitment is impossible, even given access to shared EPR 
pairs, the additional cryptographic power cannot be attributed to the presence 
of correlations above those that are possible using quantum mechanics alone. It 
remains an open question whether the same is true for OT. 

We further remark that the cheating strategy we present for the non-deterministic 
case does not work for all assignments of Alice's prior over Bob's inputs — there 
exist functions and values of the prior for which it is impossible to cheat using the 
attack we have presented. This continues to be the case when we allow Alice to 
choose any input state, including ones entangled with some space that she keeps). 
As a concrete example, consider the set (poo,Poi,Pw,Pu) = j^, §, §), with 
r/o = | in the two sided version. Hence, in practice, there could be situations in 
which Bob would be happy to perform such a computation, for example, if he 
was sure Alice had no prior information over his inputs. 
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Private Randomness Expansion 
Under Relaxed Cryptographic 
Assumptions 

"The generation of random numbers is too important to be left to 
chance. " - Robert R. Coveyou 

5.1 Introduction 

As a casino owner, Alice has a vested interest in random number generation. 
Her slot machines use pseudo-random numbers which she is eager to do away 
with. Alice has a sound command of quantum physics, and realises a way to 
produce guaranteed randomness. However, running a casino is not easy, and 
Alice has neither the time nor resources to construct the necessary quantum 
machinery herself. Instead, her local merchant, the shady Dr Snoop, offers to 
supply the necessary parts. Naturally Alice is suspicious, and would like some 
way of ensuring that Snoop's equipment really is providing her with a source of 
private random bits. 

Random numbers are important in a wide range of applications. In some, for 
example statistical sampling or computer simulations, pseudo-randomness may 
be sufficient. Psuedo-random sources satisfy many tests for randomness, but are 
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in fact deterministically generated from a much shorter seed. In applications such 
as gambling or cryptography, this may be detrimental. Since quantum measure- 
ments are the only physical processes we know of that are random, it is natural 
to construct random number generators based on these. Devices which generate 
randomness through quantum measurement have recently hit the marketplace, 
but what guarantee does the consumer have that these perform as claimed? In 
this chapter, we investigate protocols that guarantee private random number 
generation even when all the devices used in the process come from an untrusted 
source. This corresponds to relaxing Assumption H] (see Section [L6|) . that each 
party has complete knowledge of the operation of the devices they use to imple- 
ment a protocol. We use the task of expanding a random string, that is, using 
a given random string in some procedure in order to generate a longer one to 
illustrate that some cryptographic tasks are possible even when this assumption 
is dropped. 

Expansion of randomness comes in two flavours. In the weakest form, one 
simply wants to guarantee that the lengthened string really is random and could 
not have been influenced by any outside source. If one also requires that no infor- 
mation on the lengthened string be accessible to another party, then a stronger 
protocol is needed. The latter task, we refer to as private randomness expansion, 
and is clearly sufficient for the formed The possession of guaranteed randomness 
is useful in many contexts. In a gambling scenario, for instance, several players 
may learn the outcome of a random event (e.g., the spin of a roulette wheel) but 
would be at a great advantage if they could influence it. The BB84 QKD scheme 
on the other hand requires a private random string to choose the bases to use. 
Private randomness expansion will be the focus of this chapter. 

We give a protocol that uses an initial private random string, together with 
devices supplied by an adversary, to expand this initial string. Our protocol is 
such that any specified amount of additional randomness can be generated using 



^^Note that this task involves only one party trying to expand a random string in contrast 
to the task of extending coin tosses discussed in Section 14.2.11 where both Alice and Bob must 
generate the same shared expansion. 

2 A string formed by measuring individual halves of singlets in some fixed basis is random, 
but not secret, since the holder of the other half can discover the random data. 
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a sufficiently long initial string. Further, we give a second protocol which allows 
a (sufficiently long) initial string to be expanded by any amount. The length 
of initial string required depends on the desired tolerance for successful cheating 
by Snoop. This second protocol has the undesirable feature of requiring a large 
set of sites that cannot communicate with one another. Our protocols are not 
optimized for efficiency, and at present do not have full security proofs. 



5.1.1 The Setting 

Let us now iterate the practical significance of dropping Assumption HI Random- 
ness expansion is a single party protocol. We assume that all quantum devices 
that the user, Alice, will use to perform the protocol were sourced by Snoop 
Snoop will supply devices that he claims function exactly as Alice prescribes^. 
The devices cannot send communications outside of Alice's lab unless she al- 
lows them to (cf. Assumption [T]), and Alice can, if necessary, prevent them from 
communicating with each another. 

To become confident that the devices have not been tampered with, Alice 
will perform some test on them. In keeping with Kerckhoff's principle 70J, we 
assume that Snoop knows completely the details of such tests. If all of Alice's 
devices come from Snoop, there is an immediate no-go result. We idealize Alice's 
procedure for testing the devices as a sequence of operations generating a member 
of a set of possible outcomes. Certain outcomes result in her rejecting the devices, 
while others lead to their acceptance. 

Theorem 5.1. If Alice follows a deterministic procedure, and sources all of her 
devices from Snoop, then she cannot distinguish the case where Snoop 's devices 
implement the procedure as intended from the case where his devices make pre- 
determined classical outputs. 

Proof. There exists a set of classical data that Alice will accept as a passing of her 
test. Snoop need simply provide devices that output this set of data as required 
by Alice's procedure. Q£D 



3 Since Alice herself is a classical information processing device, it is unreasonable to ask that 
Snoop created all classical devices. 

4 We assume that Snoop can construct any device consistent with the laws of physics, and 
that Alice does not ask for impossible devices. 
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To circumvent this no-go result, we give Alice an initial private random string. 
By using this string, she can ensure that Snoop does not know every detail of 
her test procedure. As we shall see, this string is enough to constrain Snoop such 
that Alice can generate random bits. Since she needs an initial source of bits, 
this task is randomness expansion. 

5.1.2 Using Non-Local Correlations 

We have shown that without the use of an initial random string, Alice cannot 
perform randomness expansion. However, it is also the case that without exploit- 
ing the non-local features of quantum mechanics, she cannot either. This is a 
corollary to the following theorem. 

Theorem 5.2. If Alice sources all of her devices from Snoop and follows a local 
procedure, then she cannot distinguish the case where Snoop's devices implement 
the procedure as intended from the case where his devices make classically gener- 
ated output^. 

Proof. If all the processes occur locally, we can reduce any setup to the following. 
Snoop supplies a device into which Alice inputs her random string, before it 
produces an output. Snoop's cheating strategy in this case is simply to program 
his device with a correct output for each of Alice's possible inputs. Q£D 

It then follows that since Snoop's devices can offer a one-to-one correspondence 
between Alice's input and their output, the amount of private randomness in 
Alice's possession remains constant. 

Alice's tests need to exploit non-local effects in order to be of use. To see that 
these evade the no-go results above, consider two spatially separated devices, both 
inside Alice's laboratory. Alice inputs part of her random string into each device, 
and demands that the devices produce fast outcomes (i.e., within the light travel 
time between the two devices). Thus, the second device must follow a procedure 
that is independent of the random string input to the first, and vice- versa. If 
Alice is to test for non-classical correlations between the outcomes, then Snoop's 

5 A classically generated output is one formed from the input without use of quantum states 
or measurements. 
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potential to cheat is constrained. States which produce non-classical correlations 
possess some intrinsic randomness, and so, by verifying that Snoop's devices are 
producing such states, Alice can be sure that she derives genuine randomness 
from them. 

The non-local nature of quantum mechanics is often exemplified using the 
CHSH test, as described in Section 11.3.31 However, the CHSH test is not well 
suited for our purposes because it is based on statistics generated over lots of runs. 
In a finite run, it is impossible to say for certain whether the value achieved was 
due to malicious behaviour or simply bad luck. Such a property is an inconve- 
nience, but not fatal since, by increasing the number of runs, we can ensure that 
the probability of Snoop passing the test if he has deviated from it is arbitrarily 
small. The GHZ test, discussed below, has a much neater failure detection than 
this. 

Consider instead the following test, which we call a GHZ test 71] . after its 
inventors Greenberger, Home and Zeilinger. Alice asks for three devices, each of 
which has two settings (which we label P and Q following Section 11.3.31) and can 
output either 1 or —1. Alice is to consider the four quantities P1P2P3, P1Q2Q3, 
Q1P2Q3 and Q\Q2Pz- She demands that the first of these is always —1, while 
the remaining three are +1. That these cannot be satisfied by a classical assign- 
ment can be seen as follows. Consider the product of the four quantities, which 
according to Alice's demands must be —1. However, the algebraic expression is 
P 1 2 P 2 2 P^QfQlQl, which for a classical assignment must be positive. This is a 
contradiction, and so no classical assignment exists. If, instead, the {Pi} and 
{Qi} are formed by the outcomes of measurements acting on an entangled quan- 
tum state, then such demands can always be met. In Appendix £2 we describe 
the complete set of operators and states that achieve this. In essence, all such 
operators behave like Pauli a x and a y operators and the state behaves like a GHZ 
state, that is, the state ( |000) — |111)), up to local unitary invariance. 

The GHZ test does not rely on the statistical properties of several runs. 
Rather, the outcome of each run is specified. If any run contradicts the specified 
value, then one can be sure that the state and operators are not the ones claimed. 
This is highly useful cryptographically, as it allows Alice to be certain when she 
has detected interference. GHZ tests have a further advantage over CHSH in 
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that they offer a higher rate of increase in randomness (we discuss this further in 
Section f5.3.ip . 



5.2 Private Randomness Expansion 
5.2.1 The Privacy Of A Random String 

Let us first consider the case where each party has classical information. Alice has 
string x G X. Snoop has zGZ, partially correlated with x, these strings having 
been drawn from a distribution Pxz- Alice's string is private if I(X : Z = z) is 
negligible, i.e., string X is essentially uniformly distributed from Snoop's point 
of view. 

Now consider the case where Snoop's information on Alice's string is quantum. 
In general, it is not enough to demand that for any measurement Snoop performs, 
his resulting string z is such that I(X : Z = z) is negligible. Such a definition 
does not ensure that Alice's string can be used in any further application. The 
reason is that Snoop need not measure his system to form a classical string, but 
can instead keep hold of his quantum system. He may be then able to acquire 
knowledge which constitutes cheating in the further application (see also the 
discussion in Section H~2j) . For example, as a result of parameters revealed in the 
further application, Snoop might be able to identify a suitable measurement on 
lis orig inal quantum system that renders the further application insecure. (See 
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731 ] for a further discussion, and an explicit example.) Thus, a key with 
the property that for all measurements by Snoop I(X : Z = z) is negligible, 
cannot be treated in the same way as a private random key. 

Instead, as discussed in Chapter HI security definitions are defined with ref- 
erence to the properties of a suitable ideal. In an ideal protocol, the final state 
is of the form r^r J2ieA n NX*I ® Pz = cj, where pz is Snoop's final system and 
is independent of i, A n represents the set of strings of length n, and \A n \ = 2 n 
is the size of set A n . In a real implementation, the final state has the form 
z^2 i( z An Pi(i)\i)(i\ <S> Pz = &r- A useful security definition is that D(aj,aj{) < e, 
which implies that the two situations can be distinguished with probability at 
most e (see Section H.3.2p . Moreover, since the trace distance is non-increasing 



108 



5.2 Private Randomness Expansion 



under quantum operations [4j, this condition must persist when the string is used 
in any application, and hence the string satisfies a stand-alone security definition 
(see Section \A.2\i . Since the protocol is non-interactive, and takes place entirely 
within Alice's laboratory, it is clear that universally composable security is also 
realized. 

In many applications, the string produced may not satisfy a security require- 
ment of this kind without first undergoing privacy amplification. In Section fl .4.21 
we discussed privacy amplification in a three party scenario, in which Alice and 
Bob seek to generate a shared random string on which Eve's information is negli- 
gible. Alice and Bob are required to communicate during the amplification stage, 
and thus leak information about the amplification to Eve. Private randomness 
expansion, on the other hand, is a two party game. No information need be 
leaked in amplification since there is no second honest party needing to perform 
the same procedure. For instance, if universal hashing is used, the adversary 
never gains any knowledge about the hash function. The randomness used to 
choose it remains private and hence acts catalytically. 

5.2.2 Definitions 

Let us denote Alice's initial private uniform random string by x G X. This string 
has length n bits. Alice expands x, generating the additional string s G S. A 
protocol for private randomness expansion using devices supplied by Snoop is 
e-secure if, for any strategy followed by Snoop whereby he holds Hilbert space 
"Hz, we have 



where pu s denotes the maximally mixed state in "Ks- 

A protocol for the weaker task of randomness expansion is e-secure if 



Then, no restriction is placed on how much information the state in "Hz provides 
on S. For instance, it could be entangled in such a way that Snoop can always 
find S. What is important is that Snoop cannot influence S in any way, except 
with probability e. 



D(psz,pu s ® Pz) < e, 





(5.2) 
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Like in previous chapters, using Ni,...,N r as security parameters, we say 
that a protocol is secure if e — > as the Ni — » oo, and that a protocol is perfectly 
secure if e = for some fixed finite values of the iVj. 

5.2.3 Finite Expansion 

We now give a protocol which allows a private random string to be expanded. 
Before undergoing the protocol, Alice asks Snoop for three devices, each of which 
has two settings (inputs), (Pj and Qi for the zth device) and can make two possible 
outputs, +1 or —1. These devices cannot communicate with agents outside of 
Alice's laboratory (cf. Assumption [1]), nor with one another. Alice asks that 
whenever these devices are used to measure one of the four GHZ quantities 
(P 1 P 2 Ps, P1Q2Q3, Q1P2Q3 an d Q1Q2P3), they return the outcomes specified in 
Section 15.1.21 (i.e., —1, +1, +1 and +1 respectively). § We call these three 
devices taken together a device triple. Alice uses her device triple in the following 
procedure. 

Protocol 5.1. 

1. Alice chooses security parameter e, to give a sufficiently small probability 
of Snoop successfully cheating. She divides her string x into two strings x\ 
and R, of equal length. 

2. Alice uses 2 bits of X\ to choose one of the four tests, via the assignment in 
Table 15.11 

3. She performs the corresponding test, by having each of three agents make 
inputs to their boxes and receive their outputs such that light could not 
have travelled between any pair of boxes between input and outputQ. 

6 In practice, Alice might ask for devices that measure either a x or cr z , and for a further 
device that creates GHZ states. Of course, she will not be able to distinguish this scenario 
from one satisfying the test but using a different set of states and operators, hence we have 
kept the description as general as possible. 

Alternatively, Alice can avoid the need for large separations if she can ensure no communi- 
cation between devices after the protocol begins, e.g. by putting each device in its own separate 
laboratory. 
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bit sequence 


00 01 10 11 


input 


P 1 P 2 P 3 P,Q 2 Q Z Q 1 P 2 Q 3 Q 1 Q 2 P 3 



(a) 



output 


+ + + 


- + + 
H 


H h 

- + - 


+ + - 
h 


assignment 


00 


01 


10 


11 



(b) 



Table 5.1: Assignment table for (a) choosing the inputs to the three devices 
based on two random bits, and (b) assigning the outputs generated from the 
three devices to form two new random bits. 



4. If she receives the wrong product of outputs, she aborts, otherwise she turns 



her output into a bit string using the assignments given in Table 15.11 In 
this way, Alice builds a random string x' G X' . 

5. Alice repeats steps EHU until she has depleted x±. 

6. Alice bounds H < ^ (px'x 1 z\X\Z). Here, 

Px'x 1 z = ^2 Px'x 1 (x' , x^lx' xi)(x' x t \ <g> pz Xl , (5.3) 

x',xi 

and 'Kz is the Hilbert space held by Snoop. She then performs privacy 
amplification using a universal hash function, where the random string 
R is used to choose the hash function. (Note that R has the same length 



as x 



22 



23].) If Alice's final string, s, has length r, then Equation fll.32p 
implies that s can be distinguished from uniform with probability at most 
e + ^2~^( HUpx ' x i zlXlZ) ~ T ) 



This protocol is illustrated in Figure 15.11 Note that Alice bounds the quantity 
H^px' Xiz\X\Z) , rather than H^px'zlZ)- This ensures that if Snoop discovers 



8 Since it is only quantum devices that are supplied by Snoop, and hashing is a classical 
procedure, there is no security issue associated with this step. 
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x\ after the protocol has taken place (e.g., perhaps it is used as part of some 
further application), the string s remains secure. This is important for the com- 
posability of Protocol 15.11 Following the discussion of privacy amplification in 
Section 11.4.21 the same is true if R is subsequently divulged. The concatenation 
(x, s) is the final private random string generated by the protocol. It is manifestly 
longer than the initial one. Moreover, if Snoop is honest, then Protocol 15.11 uses 
2 bits of x while generating 2 new bits of randomness each time the loop (i.e., 
Steps Hi} is run. 

Although (x, s) is private with respect to the outside world, it is not pri- 
vate with respect to the devices, which, being malicious, may be programmed 
to remember their sequence of inputs and outputs. Snoop could then program 
her devices in the following way. The first time x is input, the devices behave 
honestly, using genuine GHZ states and suitable measurement operators. Alice's 
tests will then all pass. When x is input again (which the devices know, because 
we assume Snoop knows Alice's procedure), the devices can simply recall the 
output they made in the first (honest) run. With probability \ the devices out- 
put these directly, otherwise they randomly flip two of the three outputs. (The 
devices can be pre-programmed with shared private randomness in order to do 
this.) The outputs in this second run appear genuine from Alice's point of view, 
but in fact contain no additional private randomness. Therefore, the procedure 
cannot simply be repeated to generate an even longer string. 

5.2.3.1 Security Against Classical Attacks 

Consider the situation where Alice performs the protocol as described, while 
Snoop attempts to cheat. In so doing, Snoop limits himself to classical attacks 
(that is, to inserting known outcome^]). If he does this, his best attack has 
success probability | per supposed GHZ state, and gains him 2 bits of Alice's 
sequence, x' . 

Snoop can then have made a maximum of m = j^-j attacks, except with 
probability less than e. So that his probability of successful attack is less than 

9 Snoop could distribute these outcomes according to some probability distribution, but this 
will not help. Additionally, he could make the output depend on the input, but since when we 
bound the smooth min-entropy we give Snoop the input, this also does not help. 
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2e, we require the hashing to reduce the string length by 2 yj^pr + lj log^ — 2 
bits (see Equation (jl.32p ). This is independent of the number of GHZ tests 
performed. Provided the initial private random string has length greater than 
twice this, it can be expanded, except with probability less than 2e. 

In the cases where Snoop does not make an attack, two new pieces of random- 
ness are generated for each bit of x\. Therefore, against classical attacks, this 
protocol increases the amount of private randomness by a factor of < |, for large 
initial amounts. 

5.2.3.2 Quantum Attacks 

Of course, limiting Snoop to classical attacks is an undesirable and unrealistic 
assumption, especially given the fact that he is able to produce Alice's quantum 
devices! If Snoop performs a quantum attack, then, before privacy amplification, 
the final state of the system takes the form 

J2 F ™ x i) I^iX^iU ® P X z Xl ■ (5-4) 

x',Xl 

The length by which x' needs to be reduced depends on H^px' Xi_z\XiZ) , and 
on e. If Alice wants an overall error probability less than 2e, then she can expand 
randomness provided that H^ Q (p X 'x 1 z\XiZ) > 21og^ — 2 (see Equation (11.321) ). 

We have not been able to usefully bound H^(p x >x 1 z\XiZ). However, intu- 
itively, we expect that if a large number of GHZ tests pass, Snoop's states must 
be close to GHZ states, except with probability exponentially small in the num- 
ber of tests. In Appendix [UJ we give a complete description for the set of states 
that perfectly satisfy a GHZ test. Such states all generate 2 bits of private ran- 
domness per test. Hence, we suspect that conditioned on TTL GHZ tests passing, 
Hlo^Px' x-lz\X\Z) is less than, but approximately equal to 2TTL. In fact, to ensure 
our result, we need a weaker conjecture, as follows. 

Conjecture 5.1. If Protocol \5 . 1\ is followed exactly by Alice, then for all C, > 0, 

e > 0, there exists a sufficiently large integer, TTL, such that conditioned on TTL 
GHZ tests passing, H^ (p X 'x 1 z\XiZ) > (. 
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If we accept this conjecture, then any desired length of additional private 
random string can be generated using a sufficiently long initial string (but at 
present, we do not know how to relate the number of tests to the amount of 
additional randomness). This conjecture, together with Equation (jl.32p . implies 
that we can use Protocol 15.11 to generate r additional random bits except with 
probability 

8< e+h-^- T \ (5.5) 

Conjecture 15.11 implies that for fixed £, increasing TTL reduces e, while for fixed e, 
increasing TTL, increases £. Hence, 5 can be made arbitrarily small for fixed r, by 
increasing TTL,, which in turn requires a longer initial string. 

The capacity for generating any finite amount of additional randomness may 
be useful in itself, but what is more useful is the ability to take a string and 
expand it by an arbitrary amount. In the next section we give a protocol to do 
just that. 

5.2.4 Indefinite Expansion 

If we accept Conjecture I5.1[ then, except with a probability exponentially small 
in the number of tests performed, the string generated in Protocol 15.11 is private 
and random. In this section, we introduce a protocol that we conjecture allows a 
sufficiently long initial random string to be expanded by an arbitrary amount. 

As we have mentioned, one cannot simply feed the original string, x, twice 
into the same devices to double the amount of randomness gained. On the other 
hand, if a second device triple is supplied by Snoop, and can be assured no means 
of communication with the original (which is reasonable given Assumption [1]), 
then the string (x, s) generated by the first triple is private and random with 
respect to the second, and hence can be used as input. One natural way to assure 
independence is simply to provide spatial separation between the device triples, 
in which case the same string x (but not (x, s)) can be used for each triple. The 
overall protocol is as follows. 

Protocol 5.2. 

1. Alice asks Snoop for N device triples. 
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2. She places each device triple within its own sub-lab of her laboratory such 
that no two can communicate. 

3. Within each sub-lab, Alice uses her device triple to perform protocol 15.11 
with the same initial string, x, being used for each. The output generated 
in lab i is string Sj, and we denote the intermediate (non-hashed) string in 
this lab x\. If any of the GHZ tests fail, the entire protocol aborts. 

4. The strings {s;} are concatenated to form the final output. 
This protocol is illustrated in Figure 15.21 

If we accept Conjecture 15. 1[ then each device triple, taken on its own generates 
a non-zero amount of private randomness, except with probability 5, as defined 
by Equation (15.51) . From the discussion of privacy amplification in Section H.4.2.U 
this means that, for any system held by Snoop, he can distinguish Alice's string 
from a uniform one with probability at most 5. This includes the case where, 
after the protocol has taken place, Snoop learns x. Since this must hold for any 
system held by Snoop, we have that the strings {sj} are independent, since one 
possible strategy for Snoop is to keep the other N — 1 systems. Hence, this 
protocol generates N times as much randomness as Protocol 15.11 Thus, provided 
the initial private random string is sufficiently long that it would generate a longer 
string in Protocol 15. 1\ it can be used to generate an arbitrarily large amount of 
additional private randomness. 

5.3 Resource Considerations 

We have described two protocols for the expansion of random strings. For a given 
initial string, the first protocol has limited potential for expansion, while the 
second can be used to expand this string by an arbitrary amount, but requires 
a large supply of device triples in order to do so. We consider the following 
resources: 

1. The number of bits forming the initial string, n, and 

2. The number of sub-laboratories Alice must form, N. 
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Figure 5.2: Diagram of the steps in Protocol 15.21 The same string, x, is used 
to generate the input to each device triple. We have numbered each sub-lab in 
which instances of Protocol 15.11 occur. 
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Such resources limit the amount of additional randomness that can be generated, 
as well as the probability of error achievable. 

For a fixed initial string, Protocol 15.21 allows an arbitrary amount of random- 
ness to be generated, provided that n is sufficient for the error tolerance required. 
On the other hand, if iV is fixed as well, then there is some limit on the amount 
of expansion possible. Since Protocol 15.11 is called as a sub-protocol of Protocol 
15.21 we look to enhance the former in order to improve efficiency 

There are two ways in which one might increase the amount of randomness 
generated over that given using Protocol 15.11 The first is to use a more efficient 
extractor than the universal hash functions we have considered, so that the 
relative size of x\ over R could be increased. The second is to use a more efficient 
test to generate the additional randomness. This latter consideration is discussed 
in the next section. 

5.3.1 Beyond The GHZ Test 

Consider the task of using an n bit initial string in some procedure in order 
to maximize the length of additional random string generated, while relying on 
universal hashing for privacy amplification. We use universal hash functions 
which require a random string equal in length to the string being hashed. Consider 
now a GHZ-like test whose output is v times the length of the input. In order 
to use such a test to form a new string, the n bit string is partitioned into two 
strings, one of length and one of length The first of these is used, via 
the GHZ-like test, to generate a string of length which is hashed using the 
second to form the final string. In this way, the original n bit string has been 
used to form one of length n (l + j^) (ignoring the reduction in length required 
for security, which, for large n, represents an arbitrarily small fraction of the 
length). In the limit v — >■ oo, the original string can be doubled in length. This 
should be compared to an increase of | times if the original GHZ test is used, or 
approximately 1.4 times if CHSH is used. 

10 In the GHZ case, choosing between each of the four quantities to test uses two bits of 
randomness, while the amount of randomness gained from a successful test is also two bits 
according to quantum theory (each of the four possible outcomes from any of the measurements 
(e.g., for P1P2P3, the four are , + H — , H h and — h +) are equally likely). Hence, for 
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Arbitrarily large values of v are possible for appropriately constructed tests. 
One such construction was conceived by Pagonis, Redhead and Clifton [t3 | . 
They have presented a series of Bell-type tests which extend the GHZ test to 
more systems. In the seven system version, Alice asks for seven of the two input, 
two-output devices discussed previously, and is to consider the eight quantities 

P1Q2Q3Q4Q5Q6Q71 Q1-P2Q3Q4Q5Q6Q7! Q1Q2P3Q4Q5Q6Q7: QiQ2QzP4Q5QqQti 

Q1Q2Q3Q4P5Q6Q71 Q1Q2Q3Q UQ^PqQi ■> Q1Q2Q3Q4Q5Q6 

p 7 , P 1 P 2 P 3 P 4 P 5 P 6 P 7 . 

She demands that the first seven are always +1, while the last should be — 1. 
Again, it is easy to see that this is classically impossible. We conjecture that 
quantum mechanically, all states which satisfy these requirements are essentially 
seven system analogues of the GHZ state, i.e. -^(|0000000) — |1111111)) (like in 
the GHZ case discussed in Appendix [U]) , although this remains unproven 11 !. For 
this test, 3 bits of randomness are required to choose amongst the eight settings, 
while in a successful implementation of the test on this state, 6 bits of randomness 
are generated by the output. Higher dimensional versions of this test (see 
lead to larger increases still. In the Arth version of this test, 4k — 1 devices are 
required to measure one of 4fc quantities. Such a test generates Ak — 2 bits of 
randomness, and hence has an associated value v = f k ~?, . 

log Ak 

Although these tests allow a larger amount of additional randomness per bit 
of original string, there is a tradeoff in that they generate lower detection prob- 
abilities in the event that Snoop cheats. This is easily illustrated by considering 
a classical attack. For a GHZ test, a classical attack can escape detection with 
probability | per test, while in the seven system generalization, this figure is | 
per test. However, without a relation between the smooth min-entropy and the 
number of tests, we cannot fully classify the tradeoff. 



5.4 Discussion 



In this chapter, we have introduced two protocols that we conjecture allow the 
expansion of a private random string using untrusted devices. The second of our 

this test, v = 1. 

11 The proof provided for the GHZ case does not generalize directly. 
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protocols provides an arbitrarily long private random string. This may be a useful 
primitive on which to base other protocols in the untrusted device scenario, and 
this is an interesting avenue of further work. Such a scenario is of interest in 
that it allows us to reduce our assumptions. More fundamentally, we can think of 
nature as our untrusted adversary which provides devices. One could then argue 
that our protocols strengthen the belief that nature behaves in a random waj^f. 

The untrusted devices scenario is a realistic one, and will become important 
if quantum computers become widespread. The ordinary user will not want to 
construct a quantum computer themselves and will instead turn to a supplier, 
in the same way that users of classical computers do today. The protocols in 
this chapter seek to provide such users a guarantee that the devices supplied are 
behaving in such a way that their outputs are private and random, to within a 
sufficient level of confidence. 



Of course, it is impossible to rule out cosmic conspiracy. 
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The cryptographic power present within a model depends fundamentally on the 
physical theory underlying it. Non-relativistic classical theory does not give much 
power and unproven technological assumptions often have to be employed in order 
to make cryptographic tasks possible. Non-relativistic quantum theory permits 
key distribution, but remains insufficient for a range of other tasks. 

We have investigated quantum relativistic protocols, the most powerful al- 
lowed by current theory. Using such protocols, we have been able to widen the 
class of tasks known to be possible to include variable bias coin tossing. However, 
many remain impossible. The current state of the field for two-party protocols 
is summarized in Table 14.41 (see page 11011) . Nature itself has a built-in limit on 
the set of cryptographic tasks allowed. For some, it is fundamentally necessary 
to appeal to assumptions about the adversary in order that they be achieved. 
One might speculate that developments to our current theory (e.g. a theory of 
quantum gravity) could be such that they alter the set of allowed tasks. 

We have also investigated cryptographic tasks outside the standard model. 
Specifically, we have dropped the usual assumption that each party trusts all the 
devices within their laboratory. In the untrusted devices model, any quantum 
devices used are assumed to be produced by a malicious adversary. Even within 
this highly restrictive scenario, some cryptographic procedures can succeed. We 
have discussed the task of expanding a private random string in detail, giving 
two protocols which we conjecture do just that. 

Throughout this thesis, we have sought unconditional security. Our goal has 
been to use a minimal set of assumptions in order to do cryptography. Aside from 
its obvious practical benefits, a classification of tasks as possible or impossible 
is of intellectual interest as a way of giving insight into fundamental physics 



121 



Conclusions 



itself. However, when considering real-world cryptography, unconditional security 
is unattainable in the way we have described. Our first assumption, that each 
party has complete trust in the security of their laboratory, for example, is at best 
an assumption about the power of an adversary, since an impenetrable laboratory 
is impossible to realize. 

Trust is something of a commodity in cryptography. In practice, the over- 
whelming majority of users are much more trusting than we have allowed for. 
They will, for instance, accept the functionality of their devices on faith, taking 
the presence of a padlock symbol in the corner of their browser window as a guar- 
antee that their communications are being encrypted. Furthermore, they provide 
any malicious code on their system with a high capacity channel (an internet 
connection) with which to release private data. Trusted suppliers are hence a 
virtual necessity in any large-scale cryptographic network. 

Ultimately, it is not for us to say which assumptions a given user should 
accept and which they should not. Instead, we set up protocols and clearly state 
the assumptions under which they are secure. In this way, the responsibility of 
deciding whether a given protocol is of use in a particular situation is delegated 
to its user. 
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Maximizing The Probability Of 
Distinguishing Between Two 
Quantum States 



Here we prove the following theorem 

Theorem A.l. Bob is in possession of one of two states whose density matrices 
are, po an d Pi, f or which the prior probability of po Vo; an d of p\ is rji = 1 — 7] . 
The POVM which is optimal to distinguish these states does so with success 
probability | (1 + tr |?7 p - ?7iPi|). 

Proof. Our proof follows a similar argument to Nielsen and Chuang 4j, but ex- 
tends their result to the case of unequal prior probabilities. 

Consider a POVM described by elements {Ei]f =l , which satisfy ^2^ =1 Ei — 1. 
Measurement with this POVM on the state provided generates outcomes ac- 
cording to one of two probability distributions. We have, Pi(i) = tr(poEi) 
and Qi{i) = tr(piEi), where Pj occurs with probability r]o and Qi with prob- 
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ability rji. On measuring outcome i, our best guess of the distribution will 
be the one with max(r/o-Pj(i), T)iQi(i)), this guess being correct with probabil- 
ity E^gl^^l) . The overall probability that we guess correctly using this 
POVM is then, '^2 i meoc(rjoPi(i),r]iQi(i)). Let us label the {Pi(i), Qi{i)} such 
that Pr(z) > Q/(i) for % = 1, d, and P/(i) < Q r (z) for i = d + 1, N. Then, 

TV d TV 

^max(77oFr(z'),77iQ/(z)) = J^ryo-P/W + E 

i=l i=l i=<i+l 

TV d TV 

i=l i=l i=d+l 

TV 



i=l i=l i=d+l 

\ f 1 + ^1^(0- i»g/(<)| ) (A.i) 



2 , 

\ i=i 

Let us now define positive operators T and T x with orthogonal support such 
that ??oPo - ViPi = T - Ti, and hence, \r] p - 771/91 1 = T + T : . 
We then have that, 

V TV 

^2\VoPi{i)-ViQi{i)\ = ^2\ E i(VoPo-ViPi)\ 

i=l i=l 

< tr |?7oPo - r)xfh\ , (A.2) 
where the final inequality follows from the fact that, 

|tr (E,i (T - T x )) I < tr (E, (T + T x )) = tr (E, |r/ Po - %Pi|) , 
and J2i Ei = l. 

It remains to show that a POVM exists that achieves equality in ()A.2j) . The 
relevant POVM is {110,11!}, where n is the projector onto the support of T , 
and 111 is likewise the projector onto the support of Ti. It is easy to show that 
this POVM has the desired properties. We have hence shown that the inequality 
(IA.2I) can be saturated, hence the result. Q£D 
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As a corollary to this theorem, if the states to be distinguished have equal 
priors, then they can be successfully distinguished with probability at most |(1 + 
D(po,Pi)), where D(p ,pi) = |tr|p — p x | is the trace distance between the two 
states. 
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A Zero Knowledge Protocol For 
Graph Non-Isomorphism 



We use the task of providing a zero-knowledge proof for graph non-isomorphism 
as an illustration that universally composable security definitions can be satisfied, 
even in cryptographic protocols in which one party responds after having received 



information from another. The protocol we use is classical and is found in 60]. 
We discuss its universally composable properties here. 

A zero-knowledge proof is a protocol involving a verifier and a prover. It 
ensures that if some statement is true, and the protocol is followed honestly, the 
prover is able to convince the verifier of its truth, without revealing any other 
information. Furthermore, if the statement is false, it is impossible to convince 
the verifier that it is true. 

In this context, a graph is a series of nodes together with a defined connec- 
tivity. A zero-knowledge proof for graph non-isomorphism is one in which the 
prover can convince a verifier that two graphs are inequivalent under any permu- 
tation of their vertices. In our protocol, we assume that the prover has a device 
which solves the graph isomorphism problem (i.e., a device which when give two 
graphs decides whether they are isomorphic or not), but that the (computation- 
ally bounded) verifier cannot solve this problem. 
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Protocol B.l. 

We label the two graphs G and G\. These are known to both the prover and 
verifier. 

1. The verifier picks either Go or G\ at random and applies a random permu- 
tation, H, to it. This permuted graph is sent to the prover. 

2. The prover tests to see whether the graph is a permutation of Go or Gi, 
and returns or 1 to the verifier accordingly. 

3. The verifier checks whether the prover was correct. If so, this process is 
repeated until a sufficient confidence level is reached. If not, then no proof 
has been provided that the graphs are non-isomorphic. 

4. We denote the outcome of the protocol a = 1 if the proof is accepted, and 
a = if it is not. 

The ideal functionality has the following behaviour. 

Ideal Functionality B.l. If the graphs are non-isomorphic, the prover can 
choose whether to prove the non-isomorphism or not (i.e., whether the ideal will 
output a = 1 or a = to the verifier). If they are isomorphic, the ideal can only 
output a = to the verifier. 

Consider now a scenario in which the prover has access to an additional device 
into which she inputs the permutation, and the device returns either c = or 
c = 1. This device is analogous to the additional device used by Bob in Section 
14.2.11 and uses an algorithm unknown to the prover. There, the additional device 
broke the requirements for universally composable security. However, here it does 
not. We show that a dishonest prover can use this device and a device performing 
the ideal functionality in order to simulate all the data she would gain by using 
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this device in the real protocol. The prover simply simulates each permutation 
and inputs the permuted graph into the additional device. The outcomes either 
correspond to correct identification of the chosen graph, or they do not. If they 
do, the prover simply tells the ideal functionality to output a — 1, otherwise she 
tells it to output a = 0. 

It is important that the inputs to the additional device are made prior to the 
ideal being used. Once the ideal has been executed, the simulator cannot then 
generate pairs (H, c) that are correctly distributed with a. 
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The Complete Set Of Quantum 
States That Can Pass A GHZ 
Test 

The technique that we follow in this section is similar to that used to find the 
complete set of states and measurements producing maximal violation of the 
CHSH inequality 0. 

We seek the complete set of tripartite states (in finite dimensional Hilbert 
spaces), and two-setting measurement devices that output either 1 or —1, such 
that, denoting the settings of device % by P{ and Qi, we have, 

1. If all three detectors measure Pi, then the product of their outcomes is +1. 

2. If two detectors measure Qi and one measures Pi, then the product of their 
outcomes is —1. 
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These are equivalent to demanding 



Pi®P 2 ®P 3 |*> = (C.l) 

Qi<g>Q 2 <g>P 3 |*} = |*> (C.2) 

Qi®P 2 ®Q 3 |*> = |#> (C.3) 

Pi®g 2 ®g 3 |^) = |*>, (c.4) 

where |^) is the tripartite state. We then have 

F |*) = - (Pi <g> Q 2 ® Q 3 + Qi ® P 2 ® Qs + 

Qi®Q 2 ®P 3 - Pi®P 2 ®P 3 ) |tf> = |tf>. (C.5) 

1^) is thus an eigenstate of F with eigenvalue 1, so that P 2 |\&) = This is 
equivalent to 

(i[Pi, Qi] <g> z[P 2 , Q 2 ] ® 1 + z[Pi, Qx] <g> 1 <g> i[P 3 , Q 3 ] + 

1 ® i[P 2 , Q 2 ] (8) i[P 3 , Q 3 ]) I* > = 12 |*> • (C.6) 

The maximum eigenvalue of i[Px, Qx] is 2, hence 

z[P 1; Q x ] (8) i[P 2 , Q 2 ] ® 1 1*) = 4 I*) (C.7) 

and similar relations for the other permutations. We hence have 

1® =2|tt) (C.8) 

from which it follows that 

(y\({Px,Qx}®t®t) 2 \^) = (C.9) 

and hence that 

({Pi,Qi}®l®l)|tt) = 0. (CIO) 

Consider the following Schmidt decomposition |\&) = J^ILi ^« Ki) K23}, where 
Aj > V z, and n is the dimensionality of the first system. Then, if A« 7^ V i, 

the {|z'i)} are n eigenstates of {Pi, Qx}, each having eigenvalue 0. Since there are 
only n eigenstates, we must have {Pi, Qx} = 0. 
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If some of the Aj are zero, then we can define a projector onto the non-zero 
subspace. Call this III, and define p\ = II1P1IT1 and gi = niQiIIi. Similarly, 
define projectors il 2 and il 3 , and hence operators p 2 , qi and p^, q% by taking the 
Schmidt decomposition for systems (1,3) and 2, and (1,2) and 3, respectively. It 
is then clear that 

t (pi <S> qi <E> q-s + qi ®P2 ® <?3 + <7i <S> <?2 ®P3 - Pi ®£>2 ®P3) |^) = |^) (Cll) 

holds for the projected operators, and hence, these satisfy {pi,qi} = for i = 
1,2,3. 

The relationships, p\ = 1, qf = 1, {pi,qi} = then apply for the Hilbert 
space restricted by {H}. These imply that Pi, q^ and |[<fc,Pi] transform like the 
generators of SU(2). The operators may form a reducible representation, in which 
case we can construct a block diagonal matrix with irreducible representations on 
the diagonal. The anticommutator property means that only the two-dimensional 
representation can appear, hence we can always pick a basis such that Pi = 
Idi <E> &xi and qi = 1^ £g> o y i for some dimension, di, of identity matrix. Our state 
then needs to satisfy 

t dl <8> <Txl ® 1* ® <T*2 <8> l d3 <g> £7^3 |*) = - |*) , (C.12) 

and similar relations for the other combinations analogous to flC.2HC.4j) . By an 
appropriate swap operation, this becomes 

U ld2 d 3 <8> v x i ® cx x2 ® <7 x3 |tf ) = - I*) , (C.13) 

etc., which makes it clear that the system can be divided into subspaces, each 
of which must satisfy the GHZ relation flC.5p . In an appropriate basis, we can 
write 

/ ax |^ghz) \ 
a 2 I^ghz) 



(C.14) 



n V : ' 

where IV'ghz) = -^(|000) — |111)) □, and the complex co-efficients {a,-} simply 
weight each subspace and satisfy J^ . \ aj\ 2 = 1. We have hence obtained the 
complete set of states and operators satisfying ( lC.ll - IC.4j) . up to local unitaries. 



1 This is the only solution to (a x \ <g> a y2 <E> <J V 3 + o y \ ® <J X 2 <£) <J V 3 + o y \ ® <J v i ® & X 3 — &xi 
<Jx2 ® (Txs) \ipj) = 4 \ipj), up to global phase. 
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